Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file_66efd0132ceed.msi

Overview

General Information

Sample name:file_66efd0132ceed.msi
Analysis ID:1561805
MD5:4cabbdcb677450204d2b0f8bd36f85af
SHA1:cac64533022f26832165b6d2c13c2c61e0ffb867
SHA256:55d315224a8902e9847ee48f454fc97334e18bbaff4189f2fcbaaacba8330cbf
Tags:msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 4040 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\file_66efd0132ceed.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 632 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 636 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 799218A43054AFC7292CF5EAEECA0917 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 4940 cmdline: rundll32.exe "C:\Windows\Installer\MSIF0D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7205156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 4868 cmdline: rundll32.exe "C:\Windows\Installer\MSIF626.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7206484 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 2704 cmdline: rundll32.exe "C:\Windows\Installer\MSIC7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7212171 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • SIHClient.exe (PID: 2704 cmdline: C:\Windows\System32\sihclient.exe /cv sXgXgx6V+U2s/Rk0DSIwWw.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
      • rundll32.exe (PID: 2720 cmdline: rundll32.exe "C:\Windows\Installer\MSI2EE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7220984 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 3892 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 6220 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 5724 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 1848 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 4824 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="veronicacc@ilsamexico.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LzG3lIAF" /AgentId="d15def5a-efb4-4303-98c9-cf62501a24d9" MD5: 477293F80461713D51A98A24023D45E8)
  • AteraAgent.exe (PID: 1240 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 5464 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6112 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MpCmdRun.exe (PID: 7020 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2668 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 4216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "832c3a8d-c1ac-4e47-a5dd-e5330b8175f2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DFD9E785709C7D5F3E.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DFB427C4F2E911224E.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DFBC946715E876F51D.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 14 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000001C.00000002.2509242907.0000029100073000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000001C.00000002.2511482424.000002917DF5A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000019.00000002.2350356744.00000258CC663000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000019.00000002.2349386857.00000258CBDB0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 81 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      21.2.AgentPackageAgentInformation.exe.20ddcb30000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        13.0.AteraAgent.exe.2d237900000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          21.0.AgentPackageAgentInformation.exe.20ddc6c0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            21.0.AgentPackageAgentInformation.exe.20ddc6c0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                              Sigma Signatures

                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3892, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 6220, ProcessName: net.exe
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3892, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 6220, ProcessName: net.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-24T11:15:49.030826+010028033053Unknown Traffic192.168.2.84972513.232.67.199443TCP
                              2024-11-24T11:15:52.435626+010028033053Unknown Traffic192.168.2.84973013.232.67.199443TCP
                              2024-11-24T11:16:37.467776+010028033053Unknown Traffic192.168.2.84973913.232.67.199443TCP
                              2024-11-24T11:16:48.236736+010028033053Unknown Traffic192.168.2.84976113.232.67.199443TCP
                              2024-11-24T11:16:54.782822+010028033053Unknown Traffic192.168.2.84978213.232.67.199443TCP
                              2024-11-24T11:17:00.530538+010028033053Unknown Traffic192.168.2.84980013.232.67.199443TCP
                              2024-11-24T11:17:03.981425+010028033053Unknown Traffic192.168.2.84981013.232.67.199443TCP
                              2024-11-24T11:17:09.057552+010028033053Unknown Traffic192.168.2.84982613.232.67.199443TCP
                              2024-11-24T11:17:14.130978+010028033053Unknown Traffic192.168.2.84984613.232.67.199443TCP
                              2024-11-24T11:17:20.775137+010028033053Unknown Traffic192.168.2.84987013.232.67.199443TCP
                              2024-11-24T11:17:26.171412+010028033053Unknown Traffic192.168.2.84989213.232.67.199443TCP
                              2024-11-24T11:17:32.743229+010028033053Unknown Traffic192.168.2.84992013.232.67.199443TCP
                              2024-11-24T11:17:38.573727+010028033053Unknown Traffic192.168.2.84994113.232.67.199443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Multi AV Scanner detection for submitted file
                              Source: file_66efd0132ceed.msiReversingLabs: Detection: 26%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49719 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49722 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.8:49732 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49780 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49782 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49789 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49819 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49826 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49832 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49846 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49845 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49870 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49867 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49892 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49893 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49894 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49895 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49898 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49905 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49931 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49932 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49941 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49943 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49954 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49955 version: TLS 1.2
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb* source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1573802278.0000000007AD4000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb8 source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: \??\C:\Windows\System.pdbG source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbesh source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb" source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: mC:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720579467.00000000009C7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000012.00000003.1720306776.000000000753B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbe source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573802278.0000000007ACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1723421351.000000000752C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb^ source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb7 source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571359333.0000000000F67000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720579467.00000000009C7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: file_66efd0132ceed.msi, MSIEE0.tmp.2.dr, 6def90.msi.2.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, MSI10B8.tmp.2.dr
                              Source: Binary string: mC:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.pdb- source: rundll32.exe, 00000005.00000002.1571359333.0000000000F67000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007AD4000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb[ source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb$ source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbT source: rundll32.exe, 00000012.00000003.1720306776.000000000753B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbcli source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1658732187.000002D251F52000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1658732187.000002D251F52000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F362000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb1 source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: file_66efd0132ceed.msi, MSIF0D6.tmp.2.dr, MSIC7E.tmp.2.dr, MSI2EE0.tmp.2.dr, 6def90.msi.2.dr, 6def8e.msi.2.dr, MSIF626.tmp.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A981FFFh13_2_00007FFB4A981EB6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A981873h13_2_00007FFB4A98184E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A981A44h13_2_00007FFB4A98184E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A981FFFh13_2_00007FFB4A981E7E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A981FFFh13_2_00007FFB4A981E88
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A9B4ECBh15_2_00007FFB4A9B4E6B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A9CB972h15_2_00007FFB4A9CB5E7
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A9B227Bh15_2_00007FFB4A9B225D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4A9CB972h15_2_00007FFB4A9CB620
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4ABD681Eh15_2_00007FFB4ABD6765
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFB4ABD6CFCh15_2_00007FFB4ABD6932
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax15_2_00007FFB4ABD6263

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 21.0.AgentPackageAgentInformation.exe.20ddc6c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35924d94-0058-4718-9b1f-2ddd57458183&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f087f5f2-7b58-49f6-808f-3ff0a062bb98&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2cd035b5-493b-42ef-8a0c-7668843cdc0d&tr=33&tt=17324433453164358&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?ooiAewSNq46iHqMptNhaEhfX2X8bbCxVwRliPM24sW+tjAzbftGD6UpEklYpoosk HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=30c82597-9c84-4489-895a-c306fe08576d&tr=33&tt=17324433474242351&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1525893c-da1a-47f1-9090-c6703d359f6f&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3baba941-f261-496a-b933-9bd308fa7c86&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=bbab8eac-80d9-4b85-82f6-9bd41fbab092&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=625c342a-f58d-4894-88a7-0f12a73d0e0b&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c6b49c3-4df6-4101-91fb-684d4f16fd73&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b5482b4-128a-47b8-9bcd-b0f99b563300&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ff2dd1d9-885a-46fe-8e7f-5a540ad227d3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=392754e5-9d09-4f5e-8c18-73d91936b641&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9e43bce9-1db6-46f2-9171-f572e6753fbc&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=958b96e4-e399-41e9-8d58-0d1deb75a616&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85c15caa-37cb-46fd-a6ee-c8729985b9f4&tr=33&tt=17324434200461240&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=04a73581-89d2-414b-b671-e3efd26147f3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=28ed73a9-9db5-44d7-acaf-721c9a49ce4c&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d3ae8ae-040f-464c-8cba-7d2785f40888&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b2f45ce-12e9-4161-ad72-09f2e15b84d0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=da1cc509-7766-41b3-99b4-204f1ef88690&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1b1043f4-4037-4343-9561-1316ef9829bf&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ccc99601-6851-4238-90a7-17abb94d8a97&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75a7f166-9092-405a-aa00-38a9a77e5eae&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a3aed830-4538-4a0c-8880-b4e93ae94626&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebd&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1043b6b4-24c3-4b2c-8715-05fa1152bb8e&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=deedb6f3-d7ab-40dc-bc11-0b1184a6d22a&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad76688-4452-435a-8518-58b2eaee9c6b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b7f434f-4e93-4de1-96e0-b290421338b8&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f81232c-ba3d-448d-ad5c-71e3d13e104d&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be00bfee-7c6d-496b-a7d0-fdd77a8acffb&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f2b2651c-4fd7-4f48-bd8b-32fdf2d1d2f4&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=df88223c-6673-43b9-8836-8487bfe2f07f&tr=33&tt=17324434389366283&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49725 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49730 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49739 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49782 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49810 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49800 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49826 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49846 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49761 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49870 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49892 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49920 -> 13.232.67.199:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49941 -> 13.232.67.199:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35924d94-0058-4718-9b1f-2ddd57458183&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f087f5f2-7b58-49f6-808f-3ff0a062bb98&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2cd035b5-493b-42ef-8a0c-7668843cdc0d&tr=33&tt=17324433453164358&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?ooiAewSNq46iHqMptNhaEhfX2X8bbCxVwRliPM24sW+tjAzbftGD6UpEklYpoosk HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=30c82597-9c84-4489-895a-c306fe08576d&tr=33&tt=17324433474242351&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1525893c-da1a-47f1-9090-c6703d359f6f&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3baba941-f261-496a-b933-9bd308fa7c86&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=bbab8eac-80d9-4b85-82f6-9bd41fbab092&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=625c342a-f58d-4894-88a7-0f12a73d0e0b&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c6b49c3-4df6-4101-91fb-684d4f16fd73&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b5482b4-128a-47b8-9bcd-b0f99b563300&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ff2dd1d9-885a-46fe-8e7f-5a540ad227d3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=392754e5-9d09-4f5e-8c18-73d91936b641&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9e43bce9-1db6-46f2-9171-f572e6753fbc&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=958b96e4-e399-41e9-8d58-0d1deb75a616&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85c15caa-37cb-46fd-a6ee-c8729985b9f4&tr=33&tt=17324434200461240&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=04a73581-89d2-414b-b671-e3efd26147f3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=28ed73a9-9db5-44d7-acaf-721c9a49ce4c&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d3ae8ae-040f-464c-8cba-7d2785f40888&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b2f45ce-12e9-4161-ad72-09f2e15b84d0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=da1cc509-7766-41b3-99b4-204f1ef88690&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1b1043f4-4037-4343-9561-1316ef9829bf&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ccc99601-6851-4238-90a7-17abb94d8a97&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75a7f166-9092-405a-aa00-38a9a77e5eae&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a3aed830-4538-4a0c-8880-b4e93ae94626&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebd&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1043b6b4-24c3-4b2c-8715-05fa1152bb8e&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=deedb6f3-d7ab-40dc-bc11-0b1184a6d22a&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad76688-4452-435a-8518-58b2eaee9c6b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b7f434f-4e93-4de1-96e0-b290421338b8&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f81232c-ba3d-448d-ad5c-71e3d13e104d&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be00bfee-7c6d-496b-a7d0-fdd77a8acffb&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f2b2651c-4fd7-4f48-bd8b-32fdf2d1d2f4&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=df88223c-6673-43b9-8836-8487bfe2f07f&tr=33&tt=17324434389366283&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: agent-api.atera.com
                              Source: global trafficDNS traffic detected: DNS query: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 00000005.00000002.1573091251.0000000005315000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD33F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC70F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.000002910012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: rundll32.exe, 00000005.00000002.1573091251.0000000005315000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008AF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD33F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC70F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.000002910012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1660222174.000002D2521EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: F2E248BEDDBB2D85122423C41028BFD40.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2079954588.0000028DD1DD0000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2081099437.0000028DD1DCD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084171641.0000028DD1DA7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2080316683.0000028DD1DD2000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084171641.0000028DD1DA2000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084423634.0000028DD1DD0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2754779314.000001F37F84B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EE50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EF26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F371000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863818892.0000020DF59EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2351430427.00000258E4F0E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2351430427.00000258E4EBE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2513010691.000002917EF29000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 0000000D.00000002.1655516921.000002D251E4F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1660222174.000002D2521EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl~
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3F1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlJ
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EE9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlP
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlQ
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crle
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlri
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlLow
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 0000000D.00000002.1655516921.000002D251E4F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1659794326.000002D2521C9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1659794326.000002D2521DC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1660222174.000002D2521EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl8
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl9
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlO
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlf
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.1659794326.000002D2521C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1659794326.000002D252192000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.15.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F347000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/_P
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/l
                              Source: AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1660222174.000002D2521EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, 6def8e.msi.2.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2079954588.0000028DD1DD0000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2081099437.0000028DD1DCD000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084171641.0000028DD1DA7000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2080316683.0000028DD1DD2000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084171641.0000028DD1DA2000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2084423634.0000028DD1DD0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2754779314.000001F37F84B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EE50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EF26000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F371000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863818892.0000020DF59EA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2351430427.00000258E4F0E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2351430427.00000258E4EBE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2513010691.000002917EF29000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Microsoft.Deployment.WindowsInstaller.dll.18.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, 6def8e.msi.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 0000000D.00000002.1659794326.000002D2521DC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2754779314.000001F37F84B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                              Source: AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EF26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 0000000F.00000002.2754779314.000001F37F84B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                              Source: AteraAgent.exe, 0000000D.00000002.1655297701.000002D251E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2754779314.000001F37F84B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F362000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2749688656.000001F37EE9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F3007F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1660222174.000002D2521EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, 6def90.msi.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                              Source: rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Pro
                              Source: AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Agent
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesd
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesscribe
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory9
                              Source: rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comx
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: System.ValueTuple.dll.2.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F3007F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3b
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebd
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a
                              Source: AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49719 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49722 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.93:443 -> 192.168.2.8:49732 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49780 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49782 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49789 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49819 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49826 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49832 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49846 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49845 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49870 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49867 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49892 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49893 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49894 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49895 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49898 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49905 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49931 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49932 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49941 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49943 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49954 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.8:49955 version: TLS 1.2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6def8e.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0D6.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF626.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC7E.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEE0.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEF1.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF5F.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10B8.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6def90.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6def90.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EE0.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\CustomAction.configJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP382F.tmp
                              Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP4720.tmp
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIF0D6.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_052071D05_3_052071D0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_052000405_3_05200040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_044350B86_3_044350B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_044359A86_3_044359A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_04434D686_3_04434D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFB4A98C92213_2_00007FFB4A98C922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFB4A98BB7613_2_00007FFB4A98BB76
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4A9BCFB815_2_00007FFB4A9BCFB8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4A9B0D4215_2_00007FFB4A9B0D42
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4A9B9AF215_2_00007FFB4A9B9AF2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4A9C900E15_2_00007FFB4A9C900E
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4A9C1CE015_2_00007FFB4A9C1CE0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABCE2FA15_2_00007FFB4ABCE2FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABC4BFA15_2_00007FFB4ABC4BFA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABD0F0215_2_00007FFB4ABD0F02
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABD0EA615_2_00007FFB4ABD0EA6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABD0FF015_2_00007FFB4ABD0FF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABC8FED15_2_00007FFB4ABC8FED
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABD100015_2_00007FFB4ABD1000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABCACC115_2_00007FFB4ABCACC1
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06EC585018_3_06EC5850
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06FA767818_3_06FA7678
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06FA004018_3_06FA0040
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9B047D21_2_00007FFB4A9B047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9978D621_2_00007FFB4A9978D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A99FA9421_2_00007FFB4A99FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A99182821_2_00007FFB4A991828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9A108C21_2_00007FFB4A9A108C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A99868221_2_00007FFB4A998682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9912FB21_2_00007FFB4A9912FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9A10C021_2_00007FFB4A9A10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A99BDB021_2_00007FFB4A99BDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9C047D25_2_00007FFB4A9C047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9A78D625_2_00007FFB4A9A78D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9AFA9425_2_00007FFB4A9AFA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9B100A25_2_00007FFB4A9B100A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9A868225_2_00007FFB4A9A8682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9A12FB25_2_00007FFB4A9A12FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9B10C025_2_00007FFB4A9B10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9ABDB025_2_00007FFB4A9ABDB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9978D628_2_00007FFB4A9978D6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A99868228_2_00007FFB4A998682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9912FB28_2_00007FFB4A9912FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9B047D28_2_00007FFB4A9B047D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A99FA9428_2_00007FFB4A99FA94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9A100A28_2_00007FFB4A9A100A
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9A10C028_2_00007FFB4A9A10C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A99BDB028_2_00007FFB4A99BDB0
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                              Source: file_66efd0132ceed.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs file_66efd0132ceed.msi
                              Source: file_66efd0132ceed.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs file_66efd0132ceed.msi
                              Source: file_66efd0132ceed.msiBinary or memory string: OriginalFilenamewixca.dll\ vs file_66efd0132ceed.msi
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                              Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                              Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                              Source: classification engineClassification label: mal88.troj.spyw.evad.winMSI@40/86@11/2
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6216:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3016:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6516:120:WilError_03
                              Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6380:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4216:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFD9E785709C7D5F3E.TMPJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
                              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
                              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
                              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF0D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7205156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: file_66efd0132ceed.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: file_66efd0132ceed.msiReversingLabs: Detection: 26%
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\file_66efd0132ceed.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 799218A43054AFC7292CF5EAEECA0917
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF0D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7205156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF626.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7206484 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7212171 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="veronicacc@ilsamexico.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LzG3lIAF" /AgentId="d15def5a-efb4-4303-98c9-cf62501a24d9"
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv sXgXgx6V+U2s/Rk0DSIwWw.0.2
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2EE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7220984 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "832c3a8d-c1ac-4e47-a5dd-e5330b8175f2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 799218A43054AFC7292CF5EAEECA0917Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="veronicacc@ilsamexico.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LzG3lIAF" /AgentId="d15def5a-efb4-4303-98c9-cf62501a24d9"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF0D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7205156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF626.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7206484 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7212171 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2EE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7220984 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: file_66efd0132ceed.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb* source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1573802278.0000000007AD4000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb8 source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: \??\C:\Windows\System.pdbG source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbesh source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb" source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: mC:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720579467.00000000009C7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000012.00000003.1720306776.000000000753B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbe source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573802278.0000000007ACD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1723421351.000000000752C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb^ source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
                              Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb7 source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1571359333.0000000000F67000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720579467.00000000009C7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: file_66efd0132ceed.msi, MSIEE0.tmp.2.dr, 6def90.msi.2.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, MSI10B8.tmp.2.dr
                              Source: Binary string: mC:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.pdb- source: rundll32.exe, 00000005.00000002.1571359333.0000000000F67000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
                              Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1573802278.0000000007AD4000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.pdb[ source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb$ source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdbT source: rundll32.exe, 00000012.00000003.1720306776.000000000753B000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbcli source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1658732187.000002D251F52000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1658732187.000002D251F52000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F362000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb1 source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: file_66efd0132ceed.msi, MSIF0D6.tmp.2.dr, MSIC7E.tmp.2.dr, MSI2EE0.tmp.2.dr, 6def90.msi.2.dr, 6def8e.msi.2.dr, MSIF626.tmp.2.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
                              Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: MSIC7E.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: MSI2EE0.tmp.2.drStatic PE information: real checksum: 0x32353 should be: 0x88610
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_05201961 push es; ret 5_3_0520199C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 15_2_00007FFB4ABC0F38 push eax; ret 15_2_00007FFB4ABC0F94
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06EC57B8 push es; ret 18_3_06EC5840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06EC6880 push es; ret 18_3_06EC6890
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06ECB235 push ds; ret 18_3_06ECB243
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06ECD1A1 push es; ret 18_3_06ECD1B0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06ECDDC0 push es; ret 18_3_06ECDDD0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06FA84A1 push es; ret 18_3_06FA84B0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06FA18F0 push es; ret 18_3_06FA1900
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9900BD pushad ; iretd 21_2_00007FFB4A9900C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFB4A9A5587 push ebp; iretd 21_2_00007FFB4A9A55D8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFB4A9A00BD pushad ; iretd 25_2_00007FFB4A9A00C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FFB4A9900BD pushad ; iretd 28_2_00007FFB4A9900C1

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10B8.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0D6.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC7E.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEF1.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EE0.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF5F.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF626.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10B8.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF0D6.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2EE0.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC7E.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF5F.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF626.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEF1.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC7E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2D237C50000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2D2516F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F37E170000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F37E790000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20DDCAF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20DF5210000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 258CC020000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 258E45E0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2917E030000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2917E6C0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2620
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6971
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI10B8.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF0D6.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC7E.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEF1.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EE0.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF5F.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF626.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF626.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC7E.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6080Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6836Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3700Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\SIHClient.exe TID: 568Thread sleep time: -60000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3164Thread sleep count: 2620 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3164Thread sleep count: 6971 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5724Thread sleep time: -23980767295822402s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5724Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6956Thread sleep count: 50 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6956Thread sleep time: -500000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4064Thread sleep time: -3689348814741908s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5528Thread sleep time: -270000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6200Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6768Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5900Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6112Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1496Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1972Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6280Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain FROM Win32_ComputerSystem
                              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: AgentPackageAgentInformation.exe.15.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn
                              Source: SIHClient.exe, 0000000E.00000003.2081536504.0000028DD1476000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2083738573.0000028DD1476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                              Source: AteraAgent.exe, 0000000D.00000002.1655516921.000002D251E4F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1656080040.000002D251E8D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1687630365.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1684761309.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1685872070.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1686753065.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2081536504.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1685218501.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2083738573.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2751509797.000001F37F3F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: SIHClient.exe, 0000000E.00000003.1687630365.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1684761309.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1685872070.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1686753065.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.2081536504.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000003.1685218501.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 0000000E.00000002.2083738573.0000028DD14C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK
                              Source: rundll32.exe, 00000012.00000002.1720882081.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1720337204.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2351430427.00000258E4EBE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2513010691.000002917EF29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: rundll32.exe, 00000005.00000002.1571736262.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                              Source: AgentPackageAgentInformation.exe, 00000015.00000002.1863818892.0000020DF59EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBB
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="veronicacc@ilsamexico.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LzG3lIAF" /AgentId="d15def5a-efb4-4303-98c9-cf62501a24d9"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="veronicacc@ilsamexico.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000lzg3liaf" /agentid="d15def5a-efb4-4303-98c9-cf62501a24d9"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lzg3liaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lzg3liaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "832c3a8d-c1ac-4e47-a5dd-e5330b8175f2" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lzg3liaf
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="veronicacc@ilsamexico.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000lzg3liaf" /agentid="d15def5a-efb4-4303-98c9-cf62501a24d9"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lzg3liaf
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000lzg3liaf
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 21.2.AgentPackageAgentInformation.exe.20ddcb30000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 13.0.AteraAgent.exe.2d237900000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 21.0.AgentPackageAgentInformation.exe.20ddc6c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000001C.00000002.2509242907.0000029100073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511482424.000002917DF5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350356744.00000258CC663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBDB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511482424.000002917DED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654311802.000002D237E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1862731418.0000020DDCB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D239779000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511482424.000002917DF0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D2397A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350356744.00000258CC627000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D23986C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBDB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1653744614.000002D237B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511409806.000002917DEB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DE58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350356744.00000258CC5E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511482424.000002917DEEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1661102655.00007FFB4AA14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DE6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2740367594.000001F30006B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBDF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2511482424.000002917DED9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1861693967.0000020DDC8A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1653828668.000002D237BE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2749688656.000001F37EF26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D2397A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1653828668.000002D237B72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746710890.000001F37DE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350210321.00000258CC0A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1653828668.000002D237B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DE8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1659794326.000002D2521C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1861693967.0000020DDC8B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DED6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350356744.00000258CC653000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1861693967.0000020DDC860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBDCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D23977C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746603171.000001F37DDF0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBE35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1653744614.000002D237B5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2349386857.00000258CBDEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2754779314.000001F37F838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D2397AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D239822000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1863198951.0000020DDD283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2737668426.000000B9A8CF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1659217969.000002D252140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1861693967.0000020DDC8EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2746936823.000001F37DF0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2509242907.0000029100083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2509242907.0000029100001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001C.00000002.2509242907.0000029100047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.1654484016.000002D2396F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000002.1863198951.0000020DDD211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4940, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2704, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 4824, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 1240, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2720, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6112, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2668, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7020, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFD9E785709C7D5F3E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFB427C4F2E911224E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFBC946715E876F51D.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF7C5DF2A1FD1395B7.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\6def8f.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF49B5C2D0F32FF272.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFC63CC543F8C13A3F.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIEE0.tmp, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		141
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		OS Credential Dumping11
                              Peripheral Device Discovery                              		Remote Services11
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Command and Scripting Interpreter                              		21
                              Windows Service                              		21
                              Windows Service                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory1
                              File and Directory Discovery                              		Remote Desktop ProtocolData from Removable Media11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts11
                              Service Execution                              		Logon Script (Windows)11
                              Process Injection                              		21
                              Obfuscated Files or Information                              		Security Account Manager34
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Timestomp                              		NTDS1
                              Query Registry                              		Distributed Component Object ModelInput Capture3
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets231
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              File Deletion                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items122
                              Masquerading                              		DCSync151
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Modify Registry                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
                              Virtualization/Sandbox Evasion                              		/etc/passwd and /etc/shadow1
                              Remote System Discovery                              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                              Process Injection                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                              Rundll32                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561805 Sample: file_66efd0132ceed.msi Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 97 windowsupdatebg.s.llnwi.net 2->97 99 ps.pndsn.com 2->99 101 6 other IPs or domains 2->101 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected AteraAgent 2->111 113 3 other signatures 2->113 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSIF626.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSIF0D6.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSIC7E.tmp, PE32 9->85 dropped 95 20 other files (17 malicious) 9->95 dropped 18 AteraAgent.exe 6 11 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        103 d25btwd9wax8gu.cloudfront.net 108.158.75.93, 443, 49732 AMAZON-02US United States 12->103 105 ps.pndsn.com 13.232.67.199, 443, 49719, 49722 AMAZON-02US United States 12->105 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 93 AgentPackageAgentInformation.exe.config, XML 12->93 dropped 121 Creates files in the system32 config directory 12->121 123 Reads the Security eventlog 12->123 125 Reads the System eventlog 12->125 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 MpCmdRun.exe 12->30         started        32 2 other processes 12->32 file6 signatures7 process8 file9 59 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->59 dropped 61 C:\...\AteraAgent.InstallLog, Unicode 18->61 dropped 115 Creates files in the system32 config directory 18->115 117 Reads the Security eventlog 18->117 119 Reads the System eventlog 18->119 34 rundll32.exe 15 9 22->34         started        37 rundll32.exe 7 22->37         started        39 rundll32.exe 8 22->39         started        47 2 other processes 22->47 49 2 other processes 24->49 41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        51 2 other processes 32->51 signatures10 process11 file12 63 C:\...\AlphaControlAgentInstallation.dll, PE32 34->63 dropped 65 C:\Windows\...\System.Management.dll, PE32 34->65 dropped 73 2 other files (none is malicious) 34->73 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 37->67 dropped 75 3 other files (none is malicious) 37->75 dropped 69 C:\...\AlphaControlAgentInstallation.dll, PE32 39->69 dropped 77 3 other files (none is malicious) 39->77 dropped 71 C:\...\AlphaControlAgentInstallation.dll, PE32 47->71 dropped 79 3 other files (none is malicious) 47->79 dropped 53 conhost.exe 49->53         started        55 conhost.exe 49->55         started        57 net1.exe 1 49->57         started        process13

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              file_66efd0132ceed.msi26%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll0%ReversingLabs
                              C:\Windows\Installer\MSI10B8.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI2EE0.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC7E.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC7E.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIEF1.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIF0D6.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF5F.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIF626.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF626.tmp-\System.Management.dll0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://agent-api.atera.comx0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ps.pndsn.com
                              		13.232.67.199
                              		truefalse
                                		high
                                bg.microsoft.map.fastly.net
                                		199.232.214.172
                                		truefalse
                                  		high
                                  d25btwd9wax8gu.cloudfront.net
                                  		108.158.75.93
                                  		truefalse
                                    		unknown
                                    fp2e7a.wpc.phicdn.net
                                    		192.229.221.95
                                    		truefalse
                                      		high
                                      windowsupdatebg.s.llnwi.net
                                      		178.79.238.0
                                      		truefalse
                                        		high
                                        ps.atera.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          agent-api.atera.com
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1b1043f4-4037-4343-9561-1316ef9829bf&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                              		high
                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9e43bce9-1db6-46f2-9171-f572e6753fbc&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                		high
                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=28ed73a9-9db5-44d7-acaf-721c9a49ce4c&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                  		high
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad76688-4452-435a-8518-58b2eaee9c6b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                    		high
                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c6b49c3-4df6-4101-91fb-684d4f16fd73&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                      		high
                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f81232c-ba3d-448d-ad5c-71e3d13e104d&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                        		high
                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                          		high
                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=958b96e4-e399-41e9-8d58-0d1deb75a616&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                            		high
                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3baba941-f261-496a-b933-9bd308fa7c86&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                              		high
                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=bbab8eac-80d9-4b85-82f6-9bd41fbab092&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                		high
                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=04a73581-89d2-414b-b671-e3efd26147f3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                  		high
                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?ooiAewSNq46iHqMptNhaEhfX2X8bbCxVwRliPM24sW+tjAzbftGD6UpEklYpooskfalse
                                                                    		high
                                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=deedb6f3-d7ab-40dc-bc11-0b1184a6d22a&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                      		high
                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f2b2651c-4fd7-4f48-bd8b-32fdf2d1d2f4&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                        		high
                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b7f434f-4e93-4de1-96e0-b290421338b8&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                          		high
                                                                          https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be00bfee-7c6d-496b-a7d0-fdd77a8acffb&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                            		high
                                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35924d94-0058-4718-9b1f-2ddd57458183&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                              		high
                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75a7f166-9092-405a-aa00-38a9a77e5eae&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                		high
                                                                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85c15caa-37cb-46fd-a6ee-c8729985b9f4&tr=33&tt=17324434200461240&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                  		high
                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b2f45ce-12e9-4161-ad72-09f2e15b84d0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                    		high
                                                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ccc99601-6851-4238-90a7-17abb94d8a97&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                      		high
                                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=da1cc509-7766-41b3-99b4-204f1ef88690&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                        		high
                                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=30c82597-9c84-4489-895a-c306fe08576d&tr=33&tt=17324433474242351&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                          		high
                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ff2dd1d9-885a-46fe-8e7f-5a540ad227d3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                            		high
                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                              		high
                                                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a3aed830-4538-4a0c-8880-b4e93ae94626&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                		high
                                                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1043b6b4-24c3-4b2c-8715-05fa1152bb8e&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                  		high
                                                                                                  https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2cd035b5-493b-42ef-8a0c-7668843cdc0d&tr=33&tt=17324433453164358&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                    		high
                                                                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d3ae8ae-040f-464c-8cba-7d2785f40888&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                      		high
                                                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebd&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                        		high
                                                                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=392754e5-9d09-4f5e-8c18-73d91936b641&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                          		high
                                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1525893c-da1a-47f1-9090-c6703d359f6f&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                            		high
                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f087f5f2-7b58-49f6-808f-3ff0a062bb98&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                              		high
                                                                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b5482b4-128a-47b8-9bcd-b0f99b563300&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9false
                                                                                                                		high

                                                                                                                URLs from Memory and Binaries

                                                                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.drfalse
                                                                                                                      		high
                                                                                                                      https://agent-api.atera.com/Production/Agent/GetRecurringPackagesscribeAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://agent-api.atera.com/Production/Agent/AgentAteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://agent-api.atera.com/Production/Agent/rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                            		high
                                                                                                                            http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://wixtoolset.orgrundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, file_66efd0132ceed.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSIEE0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 6def90.msi.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, 6def8e.msi.2.dr, MSIF5F.tmp.2.dr, MSIEF1.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, MSI10B8.tmp.2.drfalse
                                                                                                                                		high
                                                                                                                                https://agent-api.atera.com/ProductionAgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommandsFallback0AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.drfalse
                                                                                                                                        		high
                                                                                                                                        https://ps.pndsn.comAteraAgent.exe, 0000000F.00000002.2740367594.000001F3007F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscoveAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://agent-api.atera.comrundll32.exe, 00000005.00000002.1573091251.0000000005315000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3008B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD33F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC70F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.000002910012F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.datacontract.org/2004/07/AteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/icsharpcode/SharpZipLibAteraAgent.exe, 0000000F.00000002.2754573447.000001F37F712000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentIAteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5aAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://agent-api.atera.comrundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/AgentStartingAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://www.w3.ohAteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebdAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://agent-api.atera.com/rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://agent-api.atera.com/Production/Agent/GetRecurringPackagesAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.zAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3bAteraAgent.exe, 0000000F.00000002.2740367594.000001F30008F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://www.newtonsoft.com/jsonrundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, Microsoft.Deployment.WindowsInstaller.dll.5.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbfSystem.ValueTuple.dll.2.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://agent-api.aterDrundll32.exe, 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory9AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://agent-api.atera.comxAgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    https://agent-api.atera.com/ProAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformationAteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://agent-api.PAteraAgent.exe, 0000000F.00000002.2740367594.000001F3008D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://www.w3.oAteraAgent.exe, 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformatiAteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300180000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommandsFallbackAteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalleAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000E0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      http://ps.pndsn.comAteraAgent.exe, 0000000F.00000002.2740367594.000001F3007F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000004.00000003.1510037632.00000000046AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1519110832.0000000004F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1576149195.000000000442B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2750897762.000001F37F112000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.1664054226.0000000004942000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1862933713.0000020DDD132000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.drfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000F.00000002.2740367594.000001F300178000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3000C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.2740367594.000001F3001A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/GetRecurringPackagesdAteraAgent.exe, 0000000F.00000002.2740367594.000001F300219000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://agent-api.atera.com/Production/Agent/CommandResultAgentPackageAgentInformation.exe, 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8System.ValueTuple.dll.2.drfalse
                                                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                  108.158.75.93
                                                                                                                                                                                                                                                  		d25btwd9wax8gu.cloudfront.netUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                  13.232.67.199
                                                                                                                                                                                                                                                  		ps.pndsn.comUnited States
                                                                                                                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                  Analysis ID:1561805
                                                                                                                                                                                                                                                  Start date and time:2024-11-24 11:14:14 +01:00
                                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                  Overall analysis duration:0h 10m 28s
                                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                  Number of analysed new started processes analysed:30
                                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                                                  Sample name:file_66efd0132ceed.msi
                                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                                  Classification:mal88.troj.spyw.evad.winMSI@40/86@11/2
                                                                                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                                                  • Successful, ratio: 72%
                                                                                                                                                                                                                                                  • Number of executed functions: 429
                                                                                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                                  • Found application associated with file extension: .msi

                                                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 40.119.152.241, 178.79.238.0, 192.229.221.95, 52.149.20.212, 40.69.42.241, 199.232.210.172
                                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, cacerts.digicert.com, agentsapi.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, atera-agent-api-eu.westeurope.cloudapp.azure.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, crl3.digicert.com, crl4.digicert.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 2668 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6112 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7020 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 1240 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target AteraAgent.exe, PID 4824 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 2704 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 2720 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 4868 because it is empty
                                                                                                                                                                                                                                                  • Execution Graph export aborted for target rundll32.exe, PID 4940 because it is empty
                                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                  • VT rate limit hit for: file_66efd0132ceed.msi

                                                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                                  05:15:29API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                                  05:15:35API Interceptor1941910x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                                  05:15:41API Interceptor2x Sleep call for process: SIHClient.exe modified
                                                                                                                                                                                                                                                  05:15:58API Interceptor3x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                                  05:16:00API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  13.232.67.199setup (1).msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                    ps.pndsn.comBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.227
                                                                                                                                                                                                                                                    9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.229
                                                                                                                                                                                                                                                    Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.229
                                                                                                                                                                                                                                                    Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.227
                                                                                                                                                                                                                                                    forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.228
                                                                                                                                                                                                                                                    VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.227
                                                                                                                                                                                                                                                    2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 35.157.63.229
                                                                                                                                                                                                                                                    2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 54.175.191.204
                                                                                                                                                                                                                                                    Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 54.175.191.203
                                                                                                                                                                                                                                                    https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 54.175.191.203
                                                                                                                                                                                                                                                    d25btwd9wax8gu.cloudfront.netBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 18.245.46.47
                                                                                                                                                                                                                                                    9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 13.35.58.104
                                                                                                                                                                                                                                                    Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 99.86.114.21
                                                                                                                                                                                                                                                    Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 18.66.112.74
                                                                                                                                                                                                                                                    forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 18.66.112.49
                                                                                                                                                                                                                                                    VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 143.204.68.99
                                                                                                                                                                                                                                                    2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 3.165.136.99
                                                                                                                                                                                                                                                    2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 99.84.160.56
                                                                                                                                                                                                                                                    Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 108.139.47.50
                                                                                                                                                                                                                                                    https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    • 108.139.47.50
                                                                                                                                                                                                                                                    bg.microsoft.map.fastly.netzapret.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                                    canva.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                                    4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                                    6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                                    1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                                    17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                                    download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                                    download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    • 146.75.30.172

                                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                    AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                    • 13.245.101.151
                                                                                                                                                                                                                                                    santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.221.243
                                                                                                                                                                                                                                                    VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 76.223.74.74
                                                                                                                                                                                                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 3.122.148.244
                                                                                                                                                                                                                                                    arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 13.223.155.145
                                                                                                                                                                                                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 18.243.54.8
                                                                                                                                                                                                                                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 15.206.178.249
                                                                                                                                                                                                                                                    AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                    • 13.245.101.151
                                                                                                                                                                                                                                                    santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.221.243
                                                                                                                                                                                                                                                    VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                                                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                    • 76.223.74.74
                                                                                                                                                                                                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 3.122.148.244
                                                                                                                                                                                                                                                    arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 13.223.155.145
                                                                                                                                                                                                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 18.243.54.8
                                                                                                                                                                                                                                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                    • 15.206.178.249

                                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199
                                                                                                                                                                                                                                                    kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                    • 108.158.75.93
                                                                                                                                                                                                                                                    • 13.232.67.199

                                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                    C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exesetup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          1nzNNooNMS.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            Le55bnMCON.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                      e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                                        C:\Config.Msi\6def8f.rbs

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):8833
                                                                                                                                                                                                                                                                        Entropy (8bit):5.659158843600033
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:192:mjjxz1ccbTOOeMeyR61g7r6IHfg7r6kAVv70HVotBVeZEmzmYpLAV777ppY9ur:mXD2tEpEtiB2ij
                                                                                                                                                                                                                                                                        MD5:82C2984D7B90052CB9171EE27927F581
                                                                                                                                                                                                                                                                        SHA1:7B92C128F1FCDD10C0DF227B27B435255A96C165
                                                                                                                                                                                                                                                                        SHA-256:ACFB30148445CF2480E518CD00EB1F6EA731FC2AD1063525FA4F1E80CEBA4C32
                                                                                                                                                                                                                                                                        SHA-512:58BCF1B607C5CD83CCD0EE5CF8AA3EA5A9373D11D2F8A2BC8A5850B6F3A4CD49A1CBAD5E46ACFFABF0C2EBEEC1009050947126F42BDD537D446847D02BD237CA
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6def8f.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..file_66efd0132ceed.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F0

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                                                        • Filename: setup (1).msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: BOMB-762.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: LaudoBombeirosPDF.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: 1nzNNooNMS.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: Le55bnMCON.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: z8yxMFhhZI.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: kTbv9ZA2x0.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: IwmwOaVHnd.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: gaYiWz75kv.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        • Filename: e8gTT6OTKZ.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):384542
                                                                                                                                                                                                                                                                        Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                                                        SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                                                        MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                                                        SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                                                        SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                                                        SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):177704
                                                                                                                                                                                                                                                                        Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                                                        MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                        SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                                                        SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                                                        SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                                                        MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                                                        SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                                                        SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                                                        SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:version=38.0

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                                                        Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                                                        MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                                                        SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                                                        SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                                                        SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):704552
                                                                                                                                                                                                                                                                        Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                                                        MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                                                        SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                                                        SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                                                        SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):216
                                                                                                                                                                                                                                                                        Entropy (8bit):5.1847066729721485
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:AcMdlIwdLKFK9w3pKFSQWO2AVAatOsyWQFDX:9MnImLepMSQPVA/sF+X
                                                                                                                                                                                                                                                                        MD5:765EA676A2DDE849CD68E6EDFC50520B
                                                                                                                                                                                                                                                                        SHA1:58A548181D6EE9CD98C75C60C6AB82C87E82114F
                                                                                                                                                                                                                                                                        SHA-256:F0F9CC290472CC1EF1042ED1BF94919BD16DB075B7B4DB435162A6C8D16C7A7B
                                                                                                                                                                                                                                                                        SHA-512:03E7D820BFE05E9926828640040C95E96FF996694B55A0D6EB3F454F34751048DCF6A4F8E69055D2EAFC0F421FD286AEE98F74A4BA39C6ACB0C83B4E7B7896EF
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=veronicacc@ilsamexico.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000LzG3lIAF /AgentId=d15def5a-efb4-4303-98c9-cf62501a24d9.24/11/2024 05:15:37 Trace Starting..

                                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                        C:\Windows\Installer\6def8e.msi

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                                                        Entropy (8bit):7.878669619196451
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                        MD5:4CABBDCB677450204D2B0F8BD36F85AF
                                                                                                                                                                                                                                                                        SHA1:CAC64533022F26832165B6D2C13C2C61E0FFB867
                                                                                                                                                                                                                                                                        SHA-256:55D315224A8902E9847EE48F454FC97334E18BBAFF4189F2FCBAAACBA8330CBF
                                                                                                                                                                                                                                                                        SHA-512:0A2E1554F3E8BD59AF9E766593CB0035E9F14E17884583E95241161ED2B40A16B9352C2D0FD177BBA781BEA5C0D8FD2017AF6AACDD56B367EC336DB3B808C293
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\6def90.msi

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                                                        Entropy (8bit):7.878669619196451
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                        MD5:4CABBDCB677450204D2B0F8BD36F85AF
                                                                                                                                                                                                                                                                        SHA1:CAC64533022F26832165B6D2C13C2C61E0FFB867
                                                                                                                                                                                                                                                                        SHA-256:55D315224A8902E9847EE48F454FC97334E18BBAFF4189F2FCBAAACBA8330CBF
                                                                                                                                                                                                                                                                        SHA-512:0A2E1554F3E8BD59AF9E766593CB0035E9F14E17884583E95241161ED2B40A16B9352C2D0FD177BBA781BEA5C0D8FD2017AF6AACDD56B367EC336DB3B808C293
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI10B8.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2EE0.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2EE0.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIC7E.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC7E.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEE0.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):437328
                                                                                                                                                                                                                                                                        Entropy (8bit):6.648025615793344
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:mt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsM:GzOE2Z34KGzOE2Z34Kp
                                                                                                                                                                                                                                                                        MD5:587F7337BEF4C6D0C1EDF1BE79F88E05
                                                                                                                                                                                                                                                                        SHA1:81FDC82C8929C4064BA011A43907D18C908B1B60
                                                                                                                                                                                                                                                                        SHA-256:EB85E53AD217AE94C389AB5B8AA77D204E19CEC0204CFBCC77639F61282283EB
                                                                                                                                                                                                                                                                        SHA-512:AA0D94E75CB2B13DFE9EAB7CD961CEDAD19AB31017041CA3F43D2DFB94F006BDCA9AABF7A0C6CE5EE1C8A0A7251A46A39B096CCB88CE11480E7591FDE71CE96C
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEE0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.)xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..file_66efd0132ceed.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[...........

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEF1.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF0D6.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF0D6.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF5F.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF626.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF626.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                                        Entropy (8bit):1.1684470244006357
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fjy6AGiLIlHVRpRh/7777777777777777777777777vDHFY222piEAHu+z:Js6QI5F32D5H6F
                                                                                                                                                                                                                                                                        MD5:F5E6B9272C2FB089B5854010CDC87D14
                                                                                                                                                                                                                                                                        SHA1:50B5D314D3A86F48B52E60FB38F5E827D9BA8BA7
                                                                                                                                                                                                                                                                        SHA-256:15A34C9825FEAC0A25EDB33B694A53E0996239DCB0E890010FFC1B47F87C331C
                                                                                                                                                                                                                                                                        SHA-512:549745EB3AFCF01CCF56428981264911C6F9ACBF7D5B2CFB5DB9D2CC72BEA7874475180AD2676CF9F0B82634251219F3AC60E6FBED7D92A6F270A687A3347CA2
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                                        Entropy (8bit):1.5662943606914403
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:EJ8PhTuRc06WXJmFT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:PhT19FTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:B0140519FD4587B28318263FD9FE7A89
                                                                                                                                                                                                                                                                        SHA1:6048E21B7E0BA2D646BEEC4092AF416B1FFB0047
                                                                                                                                                                                                                                                                        SHA-256:2A40B640A4BB7600580866CDA9738DAC0534E8D06EA3718037E03ADDC1C62E0F
                                                                                                                                                                                                                                                                        SHA-512:0E91B42B5D3A4782D96EDA24C1DEE9A59FBC3E4EF6389B8549CD0A02053052BDAB2A96979643BB33B86B4D52826D5C30B0EB2B540623FA75BA9E4B3B1D38EC25
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Logs\SIH\SIH.20241124.051537.161.1.etl

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                                                        Entropy (8bit):3.16995352670447
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:96:FGS5IHUYz4wK7+MwbsriTxpYL2z9IcCkZpZYcbIQSelcPEbJLfwvgKix:FRDYz4375eBTjUiapUZ7b9hwEbtOgKix
                                                                                                                                                                                                                                                                        MD5:7C92F6F834D22B1175F059A7FB150A33
                                                                                                                                                                                                                                                                        SHA1:CD00F505CDD24FE496E60C9E6044CB0A2BE1C266
                                                                                                                                                                                                                                                                        SHA-256:C89021FE8A50B259CB2080C53E4F3A9C1321C89A5C8D586D0F25557B55F893FF
                                                                                                                                                                                                                                                                        SHA-512:3383E842DDF62E46FC8BF272AA909BA4DCDD990E5FAF74CA6379B244DAD1F83EC0EE6C2E4203B7429414240F4B61A4EE3230DB55BC45790F8F92004ED507DC36
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:....P...P.......................................P...!...................................!..b....................eJ........M.Y>..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................D.f............L.Y>..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.1.1.2.4...0.5.1.5.3.7...1.6.1...1...e.t.l.......P.P.........!..b....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):360000
                                                                                                                                                                                                                                                                        Entropy (8bit):5.3629733188376365
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauy:zTtbmkExhMJCIpE5
                                                                                                                                                                                                                                                                        MD5:D16815809DB01FABA719C149D9BC67F4
                                                                                                                                                                                                                                                                        SHA1:3EA18E4B550458D3376E463DD33DEB53FEFC3A08
                                                                                                                                                                                                                                                                        SHA-256:07F903D32E1EDF5796797AD5B6DAC8EFD5DB35179D4661A2084C27F3451D1589
                                                                                                                                                                                                                                                                        SHA-512:303528F57A51A44628AD632C40CD7E91C8A32217E62ED93B0E25CC70A841CBA8D06B8AC258858E8E2C3140BCD2C0168943711DA65BEC5B476DBA3F29EE6E8E5B
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                                        Size (bytes):2464
                                                                                                                                                                                                                                                                        Entropy (8bit):3.248098195438526
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:QOaqdmuF3rc4m+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVB:FaqdF7c9+AAHdKoqKFxcxkFCn
                                                                                                                                                                                                                                                                        MD5:8B420D3DFF8212823A6C1025D204A565
                                                                                                                                                                                                                                                                        SHA1:D03B9AD680F3F97BEB5D4F0F22D074175E79DA06
                                                                                                                                                                                                                                                                        SHA-256:57B33E6E6B661A2BF2D4D3B58E94ECAC8AEDA94437FFD196D951521723349A34
                                                                                                                                                                                                                                                                        SHA-512:0FC49CF8B290216977E68462D12FFE6A07AFFA34C980542B15C0D9C780A06A4629462FAC8B87D35BF46F338CC601CE7A263D6013984DA112329F787537D9C7EE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 2.4. .. 2.0.2.4. .0.5.:.1.6.:.0.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                                                                                        C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP382F.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):17126
                                                                                                                                                                                                                                                                        Entropy (8bit):7.3117215578334935
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                                                                                                                                                                                                                                        MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                                                                                                                                                                                                                                        SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                                                                                                                                                                                                                                        SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                                                                                                                                                                                                                                        SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                                                                                                                                                                                                                                        C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):24490
                                                                                                                                                                                                                                                                        Entropy (8bit):7.629144636744632
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                                                                                                                                                                                                                                                        MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                                                                                                                                                                                                                                                        SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                                                                                                                                                                                                                                                        SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                                                                                                                                                                                                                                                        SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                                                                                                                                                                                                                                                        C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP4720.tmp

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):19826
                                                                                                                                                                                                                                                                        Entropy (8bit):7.454351722487538
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                                                                                                                                                                                                                                                                        MD5:455385A0D5098033A4C17F7B85593E6A
                                                                                                                                                                                                                                                                        SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                                                                                                                                                                                                                                                                        SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                                                                                                                                                                                                                                                                        SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

                                                                                                                                                                                                                                                                        C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):30005
                                                                                                                                                                                                                                                                        Entropy (8bit):7.7369400192915085
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                                                                                                                                                                                                                                                                        MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                                                                                                                                                                                                                                                                        SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                                                                                                                                                                                                                                                                        SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                                                                                                                                                                                                                                                                        SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

                                                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                                                        Entropy (8bit):7.187019651177751
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:JyYOzg5GLsHzqTykJ0Ysbwsn5SWPYkq3n:JRO0ILsyJ0Y+Z5lYn
                                                                                                                                                                                                                                                                        MD5:441A4996E2EE86C4B588D8C0D407E7C2
                                                                                                                                                                                                                                                                        SHA1:0987D79EAECF4AFAD0E5C6F7BD9BD0A90CEABBD4
                                                                                                                                                                                                                                                                        SHA-256:300CFA12D5560F2B04E870FE42E15B6A2007E8F53E4CE1329BD506382075E657
                                                                                                                                                                                                                                                                        SHA-512:8D6D5BD1EA7BAAFEB8CA750CE112ED7FAD1477E1DEEF34994A145893EED217D1A9990A52D76790F8C00484378778504626E5C6A5F5193B8DA661AFDBD62600B0
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241123190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241123190516Z....20241130190516Z0...*.H............._......Ym...[....K..r.....D.|.7...6/.Dd...bx*8..:.#B.....-W..3K.bW...._...........E......82oTc.",...d3C...X...U.....}.&9?...+.}{~..L|........9=..\R..{*.J/..I;:.P.H.....3..*..x....>.?.Vu{r....Jx`.i..\"{.8Kz.....z.....wD.4...O.....\"y

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                                                        Entropy (8bit):7.537072345098989
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq9R5h44TUqrqILBKSB/P8KcFHiGIkZEaOR6qtcO4CoTBF/ZW9FD1QvuTw/n/:54oqXVKSBH8KqiGZtfqiOboTBF4l1ve/
                                                                                                                                                                                                                                                                        MD5:49BA85BE2CB152368FE6EE8982CF3D76
                                                                                                                                                                                                                                                                        SHA1:F078FDB44C9C62D64DC79849C7E41DEC4441A9C0
                                                                                                                                                                                                                                                                        SHA-256:28B91A2A15DFCE2BB789D5CF10E55DC8D46418AF6E8574CBA83CCAD4D396BE68
                                                                                                                                                                                                                                                                        SHA-512:67F5293A94BF17ED5031EEC51EE06BBC467860CDC48A2712694418185C0D400386BCD3D3C4FB46E7B5E50EEE1A6A4747707A3058D0C982B4CB16E8374816E787
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241123213707Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241123212102Z....20241130202102Z0...*.H.............hW.~...z~.4u...VR)..../.9 .....Z...{.-....9F.4.>.....&.......5IyX._y..7.a...?...=....8......o..I6...7.G.1..h*.*`.. ......(q.t...#VT.>..}.lzI2k...j.E.}s....V......F..s..O.X(x......g..9u7@!......eQ......\;..'..J5...z...JA~8....X..-.X..c..U..@K..6L...P.G.........q..z.1........i]...I..e.%...3P..m....x.....H.......Q..... Cz*.sPT.6.5.DY....o?..Z..6..>...c.-.+g.VQ...kq...N...T..X...N.p..YQ".3>_......q.Y=.[.*.Xg..4=...DvN.^.[...{..dU{P%..k. ...Ek....c[.OM.].|..o.@...1..P..4..\..*.._J.z0Y

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                                                        Entropy (8bit):7.534031201200033
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:5onfZUxc5RlRtBfQOx/hsLzjyNiA6M4SjmFjt5Y1DohqGoz7UcN/YNjoRLUE2lH2:5iCxcdZbxJqjFJ5mDohqocRYN7latn
                                                                                                                                                                                                                                                                        MD5:3AA154C597F0D3EF221B82298CE04F78
                                                                                                                                                                                                                                                                        SHA1:C15D53176E903BFAB12665B3E42D1B9ECCFB54D0
                                                                                                                                                                                                                                                                        SHA-256:B75A76C1C71E981D5299E2A8F85D317D14DA91FD79A615C70EF14876EBC9557D
                                                                                                                                                                                                                                                                        SHA-512:B9B93ED7F99E8B96EFB85A4DC9A8CEE9F7057B87DA9C2A1FE82FE8CD308F89C42E76E9170BB429999E1D985AF7847463B8C60173C44413685472E0B5E2306324
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241123184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241123184215Z....20241130184215Z0...*.H................m.iQ...1..L....W..,dJ?..0|.R}......t@.U..6.....q.*...XbF.._+_Q...X.fx.m...J..e.4.Lh.._D!.$.......(T.P._.d...A....&R.?H..#)buHT...a..a.+.D..z...cH...;..\.m....D..R5..k.+ci!=dR.\..z.4q...i.Rj.M...A..=./..J*%?m"..+\....q.D.J.",3.....0p)+.OF.r]..'....}...cN..^8s....v.|O........:.<TK.f.I.....B...=.}sU.Y....E.h...&.....S......C...l..9...&h..H....$]....w....n2n....a5.{..a......|..!v...C..3......s.2.,.......B..{!]...7..}.M[3X*..&.y.................@{.f.Y7*)w..6.dh.b]@...!.c.5...r..7m..

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                                                        Entropy (8bit):3.4620383296566426
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kKtI8kiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:OpBkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                        MD5:1826C9B31F83A4C9B6A398C2635FDE24
                                                                                                                                                                                                                                                                        SHA1:8498A9EF7F94E5574C39F2BD5A88C4C1D4D4C219
                                                                                                                                                                                                                                                                        SHA-256:A3B0831F8A5F333AE5AE1BD6F49E0B0FF2AA4D866236D76370053D81D0153B3B
                                                                                                                                                                                                                                                                        SHA-512:2BFD24ACFE3F5EE3F95314392576CF5190DEAA6EC08DDA01CE23499B07F0EB8D61CF4A9045B368EFBF79AA24BBBAE3B088B8B4A82AAF7046CFA4174651D8E066
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... .........6.)....(...................................................>.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                                                        Entropy (8bit):3.956607117569323
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kKllvWhqXlF3sfybbJXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJ:LXn3DvPmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                        MD5:442AE5DEA445C23E077E34A0D7E05B74
                                                                                                                                                                                                                                                                        SHA1:6B1ACAB3E8B933E2426EA95780FAEF927BEB319A
                                                                                                                                                                                                                                                                        SHA-256:BB307B9FD6908A95269959AD3AD0DB018EB6098EEDA28D2FEFBAB4F41601FD76
                                                                                                                                                                                                                                                                        SHA-512:A73EEEF0C49057A78B1FEF806D4E22B4C1720744CCE1CB87FB63014E0B3CFB81467563919CBEFF0B6FE4970C67D2FB547B5DCCACB4553BBB794A8BFF2F3FD7C6
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... ........bd..Y>..(................~...=....o.ZC....................o.ZC.. .........KW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                                                        Entropy (8bit):3.951376028698464
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kK3cVt3klhEsxfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSi8:U3kjEwmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                        MD5:28729E87E55BC2CD443E91CD0AF6B0F9
                                                                                                                                                                                                                                                                        SHA1:14F77D9E81C1DE57D5C3A5B52373BB902C59F5B1
                                                                                                                                                                                                                                                                        SHA-256:D0DC4148AF39EFE3E7F4A819CD27DC795AFEB9C34F5D20865ED71E281AF5EF16
                                                                                                                                                                                                                                                                        SHA-512:F0341F4D6EDF1CB38275C429FCD787978D3138757186F5C7922A5EB10D7F5764C22D7D87E96BD19AAF25B82B3FCDD4A6FAEF35F06014FF29EC51D1C24BEC1F99
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... .... ....~.._>..(................s..=...K.`eC...................K.`eC.. ...........O>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                                                        Entropy (8bit):3.1988900267025158
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kKp+M/fzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:ILtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                        MD5:8C0AA91C051680053BFB559363C89C50
                                                                                                                                                                                                                                                                        SHA1:33BD6440A82030BB17A0F0A22268AE23C570F122
                                                                                                                                                                                                                                                                        SHA-256:78FA486C219A8B349D09FF389E85FCC97FBA8F67F13E0D3C15378A8A4483B52B
                                                                                                                                                                                                                                                                        SHA-512:BF0DBC6EAFF1A82430AC32093D47AA505584E6A6663F396C9FD19E177FB51D13D4E60515D25DE9ACC6CDC8CAE2ECB84A18DF265FD8E3AB3B4EAEAC6279CD75BF
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... ........$.c/^>..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                                                        Entropy (8bit):3.535832649296158
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kKhbNkISfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:/fSmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                        MD5:40F23432FEC33D614AE1A3006D07CA23
                                                                                                                                                                                                                                                                        SHA1:DC6C39CDA2A607A61D9AF7D0D01048DA4B282A3D
                                                                                                                                                                                                                                                                        SHA-256:7BE4F02A344F157AC95264DACF387B24D85237C6F3C7FE88D2C54375321FC563
                                                                                                                                                                                                                                                                        SHA-512:BFF937F6362A1A6D8BAB2CDF4799AF0CDFB6AF275BD315C18E4468EDA40B53AEA75AC08CBE5C4E7E607CE45B2933B97BED339935D85E705D3D988805AB0A9C76
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... ....(..........(....................................................... .........AW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                                                        Entropy (8bit):3.052898866971229
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:kK5PWk3/hLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:ok3pLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                        MD5:AAB1F6202DAFC659525FE62D48B99C72
                                                                                                                                                                                                                                                                        SHA1:ED6F18A9738A2CFBD73C3EDCFFF022F351DAC9C5
                                                                                                                                                                                                                                                                        SHA-256:1BF062C181ECD50E6050EB7FC299861CB0795C97A55E0ADFFC68CE5D07A86B93
                                                                                                                                                                                                                                                                        SHA-512:DC923FF06F1FF1D6CD98BE835D540EFC37E67F964F419EAB01B02A14DA015C9678F390BBF5596E1840EA1BC931AC13DD9460DD1788C31D24E5134354F1DCBA6E
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:p...... ....l....(.j^>..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF153A81F8E5617DA6.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                                                        Entropy (8bit):0.07497892871939499
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOY22UUekPUiETkHkAVky6l+:2F0i8n0itFzDHFY222piEAHu+
                                                                                                                                                                                                                                                                        MD5:E4C6F9F11F16F110DA3FC67D30667A05
                                                                                                                                                                                                                                                                        SHA1:DD21C687493D0CB19D9C535EE581D6D21836E7A5
                                                                                                                                                                                                                                                                        SHA-256:8699327C19B74CB692B1EEF2AC1A3D31A67CA74D47006DA264C4C4AB47DF7C2C
                                                                                                                                                                                                                                                                        SHA-512:016B0765004CAA4C95F6569ABF9BF79AE861D446FBB22330DA2FB648831397A4F6819DD867A992E3A0340940B8CE834599AF7D47F7C6B74FDD0362173F0C0646
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2E4E1DC579E3B4C5.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF37DBF58920B9BE9D.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF49B5C2D0F32FF272.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                                                        Entropy (8bit):1.253936340399642
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:gCgLuk+PveFXJnT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:kLFPTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:304EBC7DA44A0332F87ACC95B2619B43
                                                                                                                                                                                                                                                                        SHA1:27412993AB2366939C6387FBCEAC6C4F3A4D85CA
                                                                                                                                                                                                                                                                        SHA-256:6B276BBABB63A4498732CFF52DAC71C524DC6D73762B98E22F57044828B8C493
                                                                                                                                                                                                                                                                        SHA-512:B34ECABCF2E363C8B22783E035C902C96221F47D067B21C141F929C3439DE3AE5E3BFD735200FC3E999DCE398247B59F94B037EC7DE8F7F082D8798B2F1D51FE
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF49B5C2D0F32FF272.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7C5DF2A1FD1395B7.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                                                        Entropy (8bit):1.253936340399642
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:gCgLuk+PveFXJnT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:kLFPTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:304EBC7DA44A0332F87ACC95B2619B43
                                                                                                                                                                                                                                                                        SHA1:27412993AB2366939C6387FBCEAC6C4F3A4D85CA
                                                                                                                                                                                                                                                                        SHA-256:6B276BBABB63A4498732CFF52DAC71C524DC6D73762B98E22F57044828B8C493
                                                                                                                                                                                                                                                                        SHA-512:B34ECABCF2E363C8B22783E035C902C96221F47D067B21C141F929C3439DE3AE5E3BFD735200FC3E999DCE398247B59F94B037EC7DE8F7F082D8798B2F1D51FE
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7C5DF2A1FD1395B7.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF85566ED1D909C207.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9967FFED004E597F.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB427C4F2E911224E.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                                                        Entropy (8bit):1.253936340399642
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:gCgLuk+PveFXJnT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:kLFPTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:304EBC7DA44A0332F87ACC95B2619B43
                                                                                                                                                                                                                                                                        SHA1:27412993AB2366939C6387FBCEAC6C4F3A4D85CA
                                                                                                                                                                                                                                                                        SHA-256:6B276BBABB63A4498732CFF52DAC71C524DC6D73762B98E22F57044828B8C493
                                                                                                                                                                                                                                                                        SHA-512:B34ECABCF2E363C8B22783E035C902C96221F47D067B21C141F929C3439DE3AE5E3BFD735200FC3E999DCE398247B59F94B037EC7DE8F7F082D8798B2F1D51FE
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB427C4F2E911224E.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBC946715E876F51D.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                                        Entropy (8bit):1.5662943606914403
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:EJ8PhTuRc06WXJmFT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:PhT19FTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:B0140519FD4587B28318263FD9FE7A89
                                                                                                                                                                                                                                                                        SHA1:6048E21B7E0BA2D646BEEC4092AF416B1FFB0047
                                                                                                                                                                                                                                                                        SHA-256:2A40B640A4BB7600580866CDA9738DAC0534E8D06EA3718037E03ADDC1C62E0F
                                                                                                                                                                                                                                                                        SHA-512:0E91B42B5D3A4782D96EDA24C1DEE9A59FBC3E4EF6389B8549CD0A02053052BDAB2A96979643BB33B86B4D52826D5C30B0EB2B540623FA75BA9E4B3B1D38EC25
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBC946715E876F51D.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC4B55DEFAAFEE2FC.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC63CC543F8C13A3F.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                                        Entropy (8bit):1.5662943606914403
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:EJ8PhTuRc06WXJmFT56u9qISoedGPdGfnrh5ohStedGPdGRubMn:PhT19FTgugIA5qoI
                                                                                                                                                                                                                                                                        MD5:B0140519FD4587B28318263FD9FE7A89
                                                                                                                                                                                                                                                                        SHA1:6048E21B7E0BA2D646BEEC4092AF416B1FFB0047
                                                                                                                                                                                                                                                                        SHA-256:2A40B640A4BB7600580866CDA9738DAC0534E8D06EA3718037E03ADDC1C62E0F
                                                                                                                                                                                                                                                                        SHA-512:0E91B42B5D3A4782D96EDA24C1DEE9A59FBC3E4EF6389B8549CD0A02053052BDAB2A96979643BB33B86B4D52826D5C30B0EB2B540623FA75BA9E4B3B1D38EC25
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC63CC543F8C13A3F.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD9E785709C7D5F3E.TMP

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                                                        Entropy (8bit):0.14369982431220038
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:48:CnEubmStedGPdGeqISoedGPdGfnrh5oQ7:iNyLIA517
                                                                                                                                                                                                                                                                        MD5:55583247B7998CC0E79970283AB09158
                                                                                                                                                                                                                                                                        SHA1:C02ED4B661729633AA8F65B5D5EA27F2CF512977
                                                                                                                                                                                                                                                                        SHA-256:807A43E7FAE2250C28D8ED7477B9CF761452457A553D449949FABCE7693130E3
                                                                                                                                                                                                                                                                        SHA-512:99D794E0A6FAB5B97365D79573A3497DB9D0CBB0C50E6C0AA2073AE178A6EA5B422FE20732C8E70FE36F184911D5E566100B6FE82644E0F3B1CCDA6C42104337
                                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD9E785709C7D5F3E.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                                        Size (bytes):457
                                                                                                                                                                                                                                                                        Entropy (8bit):5.364450563371592
                                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                                        SSDEEP:12:Y0rsShlOS0+3dYfBUImLR2xOiOs0w3rTPMlpWFq:Y0rBBtcmImLe7TXPMSFq
                                                                                                                                                                                                                                                                        MD5:4370D3C145C3AC3FCFA292FE80D4A9EB
                                                                                                                                                                                                                                                                        SHA1:DFA22BC012DECDE543D58284DD4A54755537FBE4
                                                                                                                                                                                                                                                                        SHA-256:AC25EB26D1E71482C2D55C783C1535C2BD8577AAB7076665F667DD731251E130
                                                                                                                                                                                                                                                                        SHA-512:B93993E79CD5A2C0821AEDC5BDC0D08FECDF818AF3682D532CF2A99709A2942C3A752667153CA814A34E3ECB3FC12AD7DB9146ED575007E56E5E06FD524C5BE4
                                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                                        Preview:{"PackageName":"AgentPackageAgentInformation","ExecutableCommandArgs":["minimalIdentification"],"Data":{"AccountId":"001Q300000LzG3lIAF","UserLogin":"veronicacc@ilsamexico.com","MachineName":"116938","CustomerId":"1","FolderId":"","IsMinimalIdentification":true,"UniqueMachineIdentifier":"FGyKuRDkptuqznI492YuoKniJz5mXZPOjKJLwPZlaEY=","OsType":"Windows"},"CommandId":"832c3a8d-c1ac-4e47-a5dd-e5330b8175f2","AgentId":"d15def5a-efb4-4303-98c9-cf62501a24d9"}..

                                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                        Entropy (8bit):7.878669619196451
                                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                        File name:file_66efd0132ceed.msi
                                                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                                                        MD5:4cabbdcb677450204d2b0f8bd36f85af
                                                                                                                                                                                                                                                                        SHA1:cac64533022f26832165b6d2c13c2c61e0ffb867
                                                                                                                                                                                                                                                                        SHA256:55d315224a8902e9847ee48f454fc97334e18bbaff4189f2fcbaaacba8330cbf
                                                                                                                                                                                                                                                                        SHA512:0a2e1554f3e8bd59af9e766593cb0035e9f14e17884583e95241161ed2b40a16b9352c2d0fd177bba781bea5c0d8fd2017af6aacdd56b367ec336db3b808c293
                                                                                                                                                                                                                                                                        SSDEEP:49152:t+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:t+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                        TLSH:B0D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76FB3
                                                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                        2024-11-24T11:15:49.030826+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84972513.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:15:52.435626+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84973013.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:16:37.467776+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84973913.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:16:48.236736+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84976113.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:16:54.782822+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84978213.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:00.530538+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84980013.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:03.981425+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84981013.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:09.057552+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84982613.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:14.130978+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84984613.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:20.775137+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84987013.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:26.171412+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84989213.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:32.743229+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84992013.232.67.199443TCP
                                                                                                                                                                                                                                                                        2024-11-24T11:17:38.573727+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84994113.232.67.199443TCP

                                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.714049101 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.714075089 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.714234114 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.721327066 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.721339941 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.771764040 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.771791935 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.771895885 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.775336981 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.775346994 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.097276926 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.097595930 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.103101969 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.103130102 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.103425026 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.104434013 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.147336960 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.148159027 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.148233891 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.150017023 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.150028944 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.150274992 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.151282072 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.195324898 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.630616903 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.630713940 CET4434971913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.630815029 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.636341095 CET49719443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.680190086 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.680263042 CET4434972213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.680320978 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.685070992 CET49722443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.806590080 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.806608915 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.806817055 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.807183981 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.807197094 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.812784910 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.812813997 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.812902927 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.813153982 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:45.813165903 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.497762918 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.497862101 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.500087023 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.500102043 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.500119925 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:48.500128984 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.027868986 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.027894974 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.027946949 CET4434972613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.027995110 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.028011084 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.030857086 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.030916929 CET4434972513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.034110069 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.087866068 CET49725443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.105799913 CET49726443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.451687098 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.451733112 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.451802015 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.453402996 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.453429937 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.453552008 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.453830957 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.453844070 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.456816912 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.456830978 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.594928980 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.594968081 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.595036030 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.595406055 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.595423937 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.406862974 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.406990051 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.408770084 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.408790112 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.409086943 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.409881115 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.451342106 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.866607904 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.868184090 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.868212938 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.900557995 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.902054071 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:51.902086973 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160595894 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160635948 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160654068 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160820961 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160841942 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.160897017 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339194059 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339231014 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339283943 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339298010 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339327097 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.339334965 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.389008045 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.389039993 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.389123917 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.389144897 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.389189959 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.435655117 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.435731888 CET4434973013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.435801029 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.439050913 CET49730443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.509663105 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.509697914 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.509804964 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.509819031 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.509861946 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.542176008 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.542205095 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.542324066 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.542337894 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.542382956 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.575221062 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.575251102 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.575340986 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.575350046 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.575397015 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.608071089 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.608099937 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.608330011 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.608340025 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.608386993 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.702003956 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.702034950 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.702162027 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.702178001 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.702215910 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.721988916 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.722013950 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.722220898 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.722238064 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.722280979 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.742662907 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.742683887 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.742755890 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.742789984 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.742851019 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.762073994 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.762099028 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.762214899 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.762244940 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.762299061 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.778870106 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.778893948 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.779031038 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.779052973 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.779093981 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.799283981 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.799319983 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.799441099 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.799458981 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.799504042 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.815851927 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.815881014 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.815943956 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.815963984 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.816006899 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.835092068 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.835119009 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.835195065 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.835211992 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.835253000 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.899473906 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.899501085 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.899586916 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.899606943 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.899648905 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.910391092 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.910418034 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.910473108 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.910485983 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.910533905 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.922415972 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.922442913 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.922508955 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.922525883 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.922569036 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.933754921 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.933794975 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.933850050 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.933861017 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.933898926 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943767071 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943830013 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943852901 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943862915 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943886042 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.943893909 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950859070 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950902939 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950932026 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950939894 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950952053 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.950977087 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.956341028 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.956361055 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.956415892 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.956423998 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.956459045 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.963289976 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.963309050 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.963409901 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.963422060 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:52.963466883 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.083930969 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.084088087 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.084112883 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.084150076 CET44349732108.158.75.93192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.084256887 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.084578037 CET49732443192.168.2.8108.158.75.93
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:34.449656010 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:34.449703932 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:34.449795961 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:34.450469971 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:34.450484037 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:36.771862030 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:36.818012953 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:36.948101044 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:36.948131084 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.467768908 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.467849016 CET4434973913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.467916012 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.468945026 CET49739443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.470189095 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.470211983 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.470285892 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.470622063 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:37.470633030 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:39.854746103 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:39.862761974 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:39.862782001 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:40.664860964 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:40.665023088 CET4434974113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:40.665077925 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:40.665643930 CET49741443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.204215050 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.204245090 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.204309940 CET4434973113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.204338074 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.204360008 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.205007076 CET49731443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.212528944 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.212567091 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.212629080 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.212981939 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.212996960 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.213349104 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.213386059 CET4434976213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.213449001 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.213876009 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:45.213892937 CET4434976213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.652111053 CET4434976213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.653383970 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.653414965 CET4434976213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.722276926 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.723460913 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:47.723478079 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:48.236831903 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:48.237032890 CET4434976113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:48.237129927 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:48.237586021 CET49761443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.841579914 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.841687918 CET4434976213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.841788054 CET49762443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.858283997 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.858315945 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.858396053 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.858774900 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.858791113 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.870575905 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.870603085 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.870701075 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.870955944 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:51.870973110 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.244096994 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.244208097 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.247468948 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.247477055 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.247725010 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.248795986 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.257757902 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.257880926 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.259381056 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.259388924 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.259624958 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.261683941 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.295326948 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.307326078 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.771450043 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.771543980 CET4434978013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.771689892 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.772394896 CET49780443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.773422003 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.773462057 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.773535013 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.773787975 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.773798943 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.782845020 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.833940983 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.833956003 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.834542036 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.834641933 CET4434978213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:54.834719896 CET49782443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.157489061 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.157679081 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.159771919 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.159784079 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.160032034 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.160964966 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.203337908 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.684461117 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.684519053 CET4434978913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.684633970 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.685511112 CET49789443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.688694000 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.688708067 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689429045 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689452887 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689472914 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689531088 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689806938 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689821005 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689965963 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.689982891 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.015454054 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.016997099 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.017005920 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.500019073 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.502183914 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.502193928 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.530582905 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.530664921 CET4434980013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.530730009 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:00.531335115 CET49800443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033360958 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033420086 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033464909 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033474922 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033487082 CET4434980113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.033555031 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.034262896 CET49801443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.061100006 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.061139107 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.061224937 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.062077045 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.062088966 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.063148022 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.063185930 CET4434981113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.063247919 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.063510895 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:01.063532114 CET4434981113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.445811987 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.446963072 CET4434981113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.451225996 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.451237917 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.452570915 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.452584982 CET4434981113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.928992033 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.929115057 CET4434981113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.929182053 CET49811443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.935266972 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.935329914 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.935467958 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.936901093 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.936920881 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.981456995 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.981528044 CET4434981013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.981818914 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:03.982290983 CET49810443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.143868923 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.143889904 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.144020081 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.145255089 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.145266056 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.310328960 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.310458899 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.312167883 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.312176943 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.312452078 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.313359976 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.359328032 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.840553045 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.840626001 CET4434981913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.840691090 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.847229004 CET49819443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.848273993 CET49830443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.848300934 CET4434983013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.848382950 CET49830443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.848711014 CET49830443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.848722935 CET4434983013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.912823915 CET49830443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.914230108 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.914243937 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.914299965 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.914689064 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.914704084 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:06.955332041 CET4434983013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.527442932 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.529416084 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.533732891 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.533751011 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.534045935 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.535202980 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.575330973 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.057562113 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.099622965 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.099636078 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.100153923 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.100229025 CET4434982613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.100286961 CET49826443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.227845907 CET4434983013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.227905989 CET49830443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.228822947 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.228907108 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.232039928 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.232049942 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.232960939 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.234329939 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.275326967 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.747348070 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.802742958 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.802777052 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.806699038 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.806902885 CET4434983213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:09.807109118 CET49832443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.284897089 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.284950018 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.285012960 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.288691044 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.288727045 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.288789988 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.290967941 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.290988922 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.291183949 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:11.291202068 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.610901117 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.611047983 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.614638090 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.614660978 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.615103006 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.616276026 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.659337997 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.883935928 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.884090900 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.885992050 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.885999918 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.886238098 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.889565945 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:13.935343981 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.131021023 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.131119967 CET4434984613.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.131525040 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.131840944 CET49846443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.132962942 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.132999897 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.133156061 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.133436918 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.133457899 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.527223110 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.527303934 CET4434984513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.527564049 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.528310061 CET49845443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.530669928 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.530730009 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.530919075 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.531574965 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:14.531596899 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.508239031 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.512701035 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.512717962 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.912283897 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.913785934 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:16.913799047 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.076155901 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.076232910 CET4434985713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.076306105 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.076797962 CET49857443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.077861071 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.077920914 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.077986956 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.078329086 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.078363895 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.436312914 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.490238905 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.490248919 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.490729094 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.490829945 CET4434985913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.490895987 CET49859443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.800756931 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.800796986 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.800995111 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.803339958 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:17.803354979 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.241822004 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.241903067 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.243662119 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.243671894 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.243923903 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.244889021 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.287336111 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.775150061 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.775218010 CET4434987013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.775262117 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:20.775888920 CET49870443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.377397060 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.377521038 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.382692099 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.382721901 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.383024931 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.387856007 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.431335926 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.949789047 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.949867964 CET4434986713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.950082064 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.950484037 CET49867443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.951378107 CET49890443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.951443911 CET4434989013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.951519012 CET49890443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.951837063 CET49890443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:22.951879025 CET4434989013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.309346914 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.309380054 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.309448957 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.311445951 CET49890443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.311819077 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.311853886 CET4434989313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.312179089 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.312437057 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.312455893 CET4434989313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.313997984 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.314018965 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.359332085 CET4434989013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.604420900 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.606697083 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.606733084 CET4434989413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.610853910 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.614785910 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.614806890 CET4434989413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.647342920 CET4434989313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.811712027 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.811718941 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.811747074 CET4434989513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.814826012 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.816869020 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.816889048 CET4434989513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:23.859329939 CET4434989413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.179275036 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.182585955 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.182626009 CET4434989813.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.183284044 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.183670044 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.183690071 CET4434989813.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:24.223331928 CET4434989513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.195092916 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.196110964 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.196139097 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.196206093 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.196669102 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.196686029 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.239334106 CET4434989813.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.329893112 CET4434989013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.329957962 CET49890443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.644134045 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.644392014 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.650717020 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.650729895 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.650986910 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.653767109 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.699326038 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.799369097 CET4434989313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.799551010 CET4434989313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.799583912 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.799648046 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.799648046 CET49893443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.950484037 CET4434989413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.950594902 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:25.950594902 CET49894443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.132697105 CET4434989513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.132797956 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.132797956 CET49895443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.171442986 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.171509027 CET4434989213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.171622992 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.172949076 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.172950029 CET49892443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.172976971 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.173069000 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.173382044 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.173412085 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.504519939 CET4434989813.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.504631996 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:26.504631996 CET49898443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:27.568496943 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:27.568572998 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:28.543889999 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:28.599606991 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.321038961 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.321059942 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.321722031 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.321734905 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.322077036 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.323466063 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.371336937 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.842576027 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.846388102 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.846451044 CET4434990513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.846540928 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847098112 CET49905443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847414017 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847465038 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847543955 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847815037 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.847830057 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.896565914 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.896578074 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.897182941 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.897234917 CET4434990713.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.897332907 CET49907443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.897521019 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.897553921 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.898942947 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.899029016 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:29.899038076 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.215375900 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.221180916 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.221198082 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.321316957 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.324886084 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.324923992 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.743262053 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.743356943 CET4434992013.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.743418932 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744095087 CET49920443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744406939 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744461060 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744524956 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744771957 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.744784117 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.867825031 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.912151098 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.912185907 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.912678957 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.912735939 CET4434991913.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.912800074 CET49919443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.913085938 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.913136005 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.913199902 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.913446903 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:32.913470984 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.068382025 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.068485975 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.088257074 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.088309050 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.088562965 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.089968920 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.131339073 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.291383028 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.291448116 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.293437004 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.293451071 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.293694973 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.295020103 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.339340925 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.606062889 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.646672964 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.646754980 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651137114 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651221037 CET4434993113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651355028 CET49931443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651463985 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651521921 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651771069 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.651990891 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.652008057 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.821930885 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.865276098 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.865302086 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867094994 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867171049 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867372036 CET4434993213.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867398024 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867443085 CET49932443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867772102 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.867798090 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.868038893 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.868165016 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:35.868179083 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.041464090 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.041594982 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.046854019 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.046869993 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.047113895 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.051775932 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.095335960 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.247914076 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.248131990 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.249654055 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.249660969 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.249910116 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.251023054 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.291330099 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.573760986 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.573827982 CET4434994113.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.574107885 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.574780941 CET49941443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773118019 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773140907 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773196936 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773231983 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773803949 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773848057 CET4434994313.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.773890018 CET49943443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.775878906 CET49954443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.775918007 CET4434995413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.775969982 CET49954443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.776436090 CET49955443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.776463032 CET4434995513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.776505947 CET49955443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.776839018 CET49955443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.776850939 CET4434995513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.777087927 CET49954443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:38.777101994 CET4434995413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:41.125782967 CET4434995413.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:41.125883102 CET49954443192.168.2.813.232.67.199
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:41.163753033 CET4434995513.232.67.199192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:41.163842916 CET49955443192.168.2.813.232.67.199

                                                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:27.743452072 CET5907553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:39.479937077 CET6128953192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.573030949 CET5057553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.620296001 CET5206653192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.710045099 CET53505751.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.456413031 CET5267953192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET53526791.1.1.1192.168.2.8
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:54.334918976 CET6133553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:42.248584032 CET5946053192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:50.225516081 CET5411753192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.006570101 CET5072253192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.673722029 CET5939553192.168.2.81.1.1.1
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:18.964931965 CET5102253192.168.2.81.1.1.1

                                                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:27.743452072 CET192.168.2.81.1.1.10x971bStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:39.479937077 CET192.168.2.81.1.1.10xb163Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.573030949 CET192.168.2.81.1.1.10xb268Standard query (0)ps.pndsn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.620296001 CET192.168.2.81.1.1.10x7fd2Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.456413031 CET192.168.2.81.1.1.10xddeaStandard query (0)ps.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:54.334918976 CET192.168.2.81.1.1.10xceb8Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:42.248584032 CET192.168.2.81.1.1.10x6f5dStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:50.225516081 CET192.168.2.81.1.1.10x76f6Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.006570101 CET192.168.2.81.1.1.10x5d6bStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.673722029 CET192.168.2.81.1.1.10xed4fStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:18.964931965 CET192.168.2.81.1.1.10x38a4Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:27.882090092 CET1.1.1.1192.168.2.80x971bNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:34.332247019 CET1.1.1.1192.168.2.80xa387No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:34.332247019 CET1.1.1.1192.168.2.80xa387No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:36.052112103 CET1.1.1.1192.168.2.80x395bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:36.052112103 CET1.1.1.1192.168.2.80x395bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:37.679500103 CET1.1.1.1192.168.2.80x9b7bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:37.679500103 CET1.1.1.1192.168.2.80x9b7bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:37.724734068 CET1.1.1.1192.168.2.80xad77No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:37.724734068 CET1.1.1.1192.168.2.80xad77No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:39.616518974 CET1.1.1.1192.168.2.80xb163No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.710045099 CET1.1.1.1192.168.2.80xb268No error (0)ps.pndsn.com13.232.67.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.710045099 CET1.1.1.1192.168.2.80xb268No error (0)ps.pndsn.com13.232.67.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:42.758189917 CET1.1.1.1192.168.2.80x7fd2No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET1.1.1.1192.168.2.80xddeaNo error (0)ps.atera.comd25btwd9wax8gu.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET1.1.1.1192.168.2.80xddeaNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET1.1.1.1192.168.2.80xddeaNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET1.1.1.1192.168.2.80xddeaNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.12A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:49.593801975 CET1.1.1.1192.168.2.80xddeaNo error (0)d25btwd9wax8gu.cloudfront.net108.158.75.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.394737959 CET1.1.1.1192.168.2.80xbecNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:53.394737959 CET1.1.1.1192.168.2.80xbecNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:15:54.472749949 CET1.1.1.1192.168.2.80xceb8No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:38.092104912 CET1.1.1.1192.168.2.80x6498No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:38.092104912 CET1.1.1.1192.168.2.80x6498No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:42.386321068 CET1.1.1.1192.168.2.80x6f5dNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:50.362255096 CET1.1.1.1192.168.2.80x76f6No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:16:57.336092949 CET1.1.1.1192.168.2.80x5d6bNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:08.810410023 CET1.1.1.1192.168.2.80xed4fNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:19.103296041 CET1.1.1.1192.168.2.80x38a4No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:21.865367889 CET1.1.1.1192.168.2.80x9402No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                        Nov 24, 2024 11:17:21.865367889 CET1.1.1.1192.168.2.80x9402No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                        • ps.pndsn.com
                                                                                                                                                                                                                                                                        • ps.atera.com

                                                                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        0192.168.2.84971913.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=55ef0378-bd34-4bdb-83d2-4cef98847c3b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:15:45 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 35 33 36 38 37 31 32 30 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324433453687120]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        1192.168.2.84972213.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC364OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35924d94-0058-4718-9b1f-2ddd57458183&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:15:45 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 45
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:15:45 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 35 33 31 36 34 33 35 38 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324433453164358","r":33},"m":[]}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        2192.168.2.84972513.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:48 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f087f5f2-7b58-49f6-808f-3ff0a062bb98&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:15:49 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:15:48 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:15:49 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 34 38 37 37 32 32 33 30 34 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324433487722304]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        3192.168.2.84972613.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:48 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2cd035b5-493b-42ef-8a0c-7668843cdc0d&tr=33&tt=17324433453164358&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:15:49 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:15:48 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 1879
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:15:49 UTC1879INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 37 34 32 34 32 33 35 31 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 38 32 39 31 62 66 32 61 2d 33 31 61 32 2d 34 66 34 37 2d 38 62 64 36 2d 31 35 30 39 64 65 66 30 64 64 39 38 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 34 37 34 32 34 32 33 35 31 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 64 31 35 64 65 66 35 61 2d 65 66 62 34 2d 34 33 30 33 2d 39 38 63 39 2d 63 66 36 32 35 30 31 61 32 34 64 39 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 65 61 63 38 31 31 35
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324433474242351","r":33},"m":[{"a":"2","f":0,"i":"8291bf2a-31a2-4f47-8bd6-1509def0dd98","p":{"t":"17324433474242351","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"d15def5a-efb4-4303-98c9-cf62501a24d9","d":{"CommandId":"eac8115


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        4192.168.2.849732108.158.75.934431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:51 UTC212OUTGET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?ooiAewSNq46iHqMptNhaEhfX2X8bbCxVwRliPM24sW+tjAzbftGD6UpEklYpoosk HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.atera.com
                                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC671INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                        Content-Length: 384542
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-MD5: SgmofSAE2sSwBofpyfFQNg==
                                                                                                                                                                                                                                                                        Last-Modified: Tue, 12 Nov 2024 07:13:54 GMT
                                                                                                                                                                                                                                                                        ETag: 0x8DD02E9910FA268
                                                                                                                                                                                                                                                                        Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                        x-ms-request-id: 4f2b2192-601e-007b-57cf-3c3f56000000
                                                                                                                                                                                                                                                                        x-ms-version: 2009-09-19
                                                                                                                                                                                                                                                                        x-ms-lease-status: unlocked
                                                                                                                                                                                                                                                                        x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                                                        Date: Sat, 23 Nov 2024 11:11:18 GMT
                                                                                                                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                                                                                                                        X-Cache: Hit from cloudfront
                                                                                                                                                                                                                                                                        Via: 1.1 6481f3b72e695f5d2b0b995611da44a2.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                                        X-Amz-Cf-Pop: BAH53-P2
                                                                                                                                                                                                                                                                        X-Amz-Cf-Id: O2XjcRBvLyjkvQQTLuN4ZcBFxG3Z8zlsJROQqlIyHjC5WyoJOQv1Fw==
                                                                                                                                                                                                                                                                        Age: 83072
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC15713INData Raw: 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 b5 ba a1 7d ff ff ff ff ff ff ff ff 3d 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 65 78 65 01 00 10 00 28 b6 02 00 00 00 00 00 df 1b 01 00 00 00 00 00 e3 12 a7 01 2c f1 1b de 31 c7 8a 39 3e 6b 73 27 36 d0 73 2b 61 ce ce e3 d2 b6 cb 71 21 62 f9 4e 18 e5 1e a6 ed c3 a5 43 de 14 0c f6 81 ff 20 24 ff d5 3a 2d 75 b6 26 8e d9 8b a4 ae e1 2e bd 40 7e 84 03 06 21 73 f7 1f ae 94 a0 7d ab a6 99 3b a0 b8 5f e3 30 9a 41 f2 ec e6 d0 a8 20 53 e8 c2 17 fd 08 50 b9 08 97 28 2f f1 4c 63 d3 c6 76 04 21 b5 c3 d7 bb be b4 9c 43 48 ed cb 7f 13 28 f5 12 6a cb 1b 54 89 c5 9d 34 6d 19 74 79 dc 8f 06
                                                                                                                                                                                                                                                                        Data Ascii: PK-9lY}=AgentPackageAgentInformation/AgentPackageAgentInformation.exe(,19>ks'6s+aq!bNC $:-u&.@~!s};_0A SP(/Lcv!CH(jT4mty
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 0c cc bd 59 a8 e2 7f f2 62 5b 05 a8 cf b7 7d ad c3 72 23 c6 66 69 f0 13 18 61 36 de 2e 03 f9 23 e0 33 74 b9 36 83 32 e4 b8 e7 e8 68 01 3e 67 11 05 51 af 2d 54 88 ba c2 b9 3c 69 17 81 ac 93 76 c5 d1 90 d6 26 62 33 61 f2 e3 02 29 9b 7c 60 f6 a9 8b ba 43 a3 b6 63 4e 23 65 6d 67 55 cb 2a f7 0a 97 49 40 5b 66 7e 13 3d ca 1d 99 14 88 c2 1c 1e 74 8c 25 aa 61 32 3a f5 99 ec 55 96 47 43 e4 a9 e5 62 39 fe 2f 49 04 32 92 cb a7 c7 7b d8 21 11 5a 8a c1 d2 e6 af c8 ff 51 fd 76 29 d8 6a 46 92 7f 63 97 fa c1 bb 56 1e b6 2f 4f c9 db 62 e6 c6 f5 1c da ac 9e 92 c2 95 45 e1 2a a8 cd fb 4c 5f bc 5e 4d b6 58 3b 13 ab 6a e0 f8 e8 da 32 48 aa 58 1a 2c 88 59 29 b2 ba c0 79 89 fd c3 26 ba e4 70 4e 4d 33 10 51 55 16 e1 e2 97 c5 32 58 75 d3 0e d3 8e 1a 7b f0 3c 7f 54 65 f0 f5 78 e0
                                                                                                                                                                                                                                                                        Data Ascii: Yb[}r#fia6.#3t62h>gQ-T<iv&b3a)|`CcN#emgU*I@[f~=t%a2:UGCb9/I2{!ZQv)jFcV/ObE*L_^MX;j2HX,Y)y&pNM3QU2Xu{<Tex
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 6d 41 6b 15 dd 35 67 f7 42 05 aa af 12 db f2 c4 08 3e 46 cf b6 64 90 7f 66 f3 76 74 97 4b 38 0b 60 60 59 5a 5d f5 03 01 5f 6e f7 80 62 2e 1a 10 f9 a4 93 83 0d b1 b0 dd bb fb fc 84 54 f3 20 79 b3 f5 57 a0 09 68 9e fa 6d 6e f7 37 1b 55 8d b0 c0 ae 7f 89 8e 39 b7 eb ee 6c b9 d8 55 69 0f 06 8a 70 71 7c 2b 81 36 ce 25 fa e8 6a be 9b 9a 40 fe b9 ee 4e 2f ab 3c d5 3a 27 5e 49 66 ce 2a b7 57 f7 aa b1 dd 4c c2 0f 6e a9 3e 5e 05 bd f2 2d 03 15 60 4d ce d7 36 78 a6 41 14 cd 17 45 22 e8 c5 a0 10 f8 1f 07 20 6b e5 5f 61 75 84 a2 aa 50 26 8d 2d 5f 1c aa c8 c7 6e 4b 49 cb cc 5d 0f fa 14 22 82 9f fb 3c 22 4b b9 4b c9 d7 96 fc ac 55 f0 cc c1 2a 68 d1 66 1f 83 8a 76 7a f3 d5 15 f4 59 9c 0b 37 18 b1 41 d2 b7 bc 44 46 8d 5a b3 bb 72 0d df 42 de 5d 7c 4e 91 1e 0c 73 70 ca a4
                                                                                                                                                                                                                                                                        Data Ascii: mAk5gB>FdfvtK8``YZ]_nb.T yWhmn7U9lUipq|+6%j@N/<:'^If*WLn>^-`M6xAE" k_auP&-_nKI]"<"KKU*hfvzY7ADFZrB]|Nsp
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 53 a7 b1 8b b4 14 78 de 25 1c 8d 99 f3 12 2a 79 07 f8 89 22 81 a4 ea 40 bd 6f fb fe 78 33 83 e9 99 45 f9 09 23 ce 93 b2 63 00 fa c5 4d 3e 21 e8 28 67 57 d4 81 2e ab 6e 0f 65 47 1c fe f2 18 6b 45 db 7e 8a 52 c1 b9 30 d2 e5 d0 7e 7f f6 9b fa 78 97 5e 24 c2 9b 6e 56 22 95 b2 aa d0 36 c0 d6 c2 ad 2e 86 3f 9d d3 ee 06 f0 71 74 2c ce ac 14 62 1b 0f 29 34 6b bb de 66 87 7a 44 25 76 9c f9 27 08 0e e5 bd 08 8d d1 7b 3f ef aa bb 0c 58 46 5c 94 55 84 c3 17 74 da 38 ee 80 32 93 e6 46 f9 6c 22 9d 49 bf 4d cc 0f 64 e1 ab 03 02 34 6e 0e df 95 57 32 53 dc 27 a1 e3 12 25 87 7a 4e f0 ac e2 d2 0d 00 dd ba 22 ac 74 de 93 9f f2 77 7a 9f 90 95 4d c8 c9 1d 91 3e 40 0a f9 ca 6d 4d 49 a9 10 ff ad 0e f0 ea ff 3d 6a 18 7f cb 0e 13 5a 13 51 67 d4 55 9c 58 ce 78 bf 0e a1 84 a0 0c e8
                                                                                                                                                                                                                                                                        Data Ascii: Sx%*y"@ox3E#cM>!(gW.neGkE~R0~x^$nV"6.?qt,b)4kfzD%v'{?XF\Ut82Fl"IMd4nW2S'%zN"twzM>@mMI=jZQgUXx
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 04 a8 e7 88 f5 07 53 81 9c 78 c1 86 56 67 d7 e3 3e 65 8f 8a 20 95 24 01 1a 78 dc 3b 8c f6 cb bf 8a 58 96 b4 7b d9 d4 c5 fd 52 35 25 1e 6e 95 ac fb 39 42 83 ab 8d 60 c7 4b f4 ea e5 9a aa 04 b5 5e 50 e0 bc b0 9c f4 e2 da 4b 89 f9 e6 c0 2c 64 bb 3e 61 fe d5 aa 55 57 e5 c9 81 16 af 3e 2a 52 fe 2d 97 48 5c 95 df 32 5f 00 d5 5b 2b 91 84 d0 6c 17 35 6a 27 0b 21 bc 76 03 d5 dd 15 07 b4 cf 12 7f c7 20 b5 df 70 4a 8d a7 cc 70 c4 35 ff 48 d8 03 5a 6b 0c 09 07 fa 34 ec 01 2c d5 28 e0 98 69 88 3c 7d 83 4b e0 e6 79 39 de 0f 67 a7 3a c2 0f a6 63 27 95 23 9d ef 87 67 16 f9 bf 4e 9e ec ed 35 d0 24 f5 ca 5b f5 b1 4d 9b 0b df e3 ba e8 49 d5 cb b4 14 07 52 e4 fc d8 ac ed 5a 1b b8 e3 21 60 cf ab 79 05 c5 3a 6e c2 29 d7 04 b7 e5 86 2b df f3 4b 1c 6c a0 83 2c c5 3a c7 60 49 86
                                                                                                                                                                                                                                                                        Data Ascii: SxVg>e $x;X{R5%n9B`K^PK,d>aUW>*R-H\2_[+l5j'!v pJp5HZk4,(i<}Ky9g:c'#gN5$[MIRZ!`y:n)+Kl,:`I
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: e9 e9 ba ed c4 8d b4 a2 18 0b e6 29 a1 31 bd 29 68 ff b2 29 0d f4 9e 88 4f dc 40 e7 d2 2c 27 45 36 11 f6 51 76 f3 e3 84 b5 db c7 d0 db 41 03 92 6d 3c 57 05 38 0f 9c ea d8 fb 45 b6 6b 1d b8 f7 f8 0a 30 bd 59 bf 9f e0 f8 74 f7 7f 97 82 6b 08 27 a6 df 7c 70 8c 3c eb 33 32 84 58 c8 2f cb a3 95 e5 ac 73 0c 03 ed 7e 08 3b 4a da 3a ca 9a a3 80 fa 21 db 0c c8 43 f3 d7 48 9e 09 37 fb 20 6b c2 74 45 5a 2c 15 64 d1 78 a7 81 c5 48 92 9d 57 92 bb d9 7d 8b dd bb ab f8 6a 33 e3 ab c1 11 f6 ea ea 0e 31 66 f2 20 ab 8c 78 e3 17 61 fc 61 31 30 b0 c7 c3 f5 ff 98 41 0d 09 ec 91 00 23 9f f0 d1 da cf 26 c3 bc 37 46 f6 74 70 5f 89 3c 5a 4b d6 73 d8 02 69 2e fd 33 3d 01 ba 4b 39 b0 62 61 2f 6b 17 f8 5e fb a7 76 4c f9 df 3e 40 2d 71 22 e1 6b 6e ec 60 76 7b e4 10 b3 7d c5 cb bb e0
                                                                                                                                                                                                                                                                        Data Ascii: )1)h)O@,'E6QvAm<W8Ek0Ytk'|p<32X/s~;J:!CH7 ktEZ,dxHW}j31f xaa10A#&7Ftp_<ZKsi.3=K9ba/k^vL>@-q"kn`v{}
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: ef 59 e7 b5 d4 2d a5 19 af 19 41 6d e4 b3 45 8e 60 3a ee 10 2a fa 7c 74 0a d9 63 56 6a 08 09 b1 c4 03 73 4f da fd 93 a0 94 f5 11 4c d2 45 70 db 4c bc 69 8b 1e 6b fa eb cd b3 f9 cb 54 60 eb 8a 65 5c 11 30 7f 36 07 ed 5f 7d ca 6d d1 91 c1 ec 00 c9 99 3b c2 a9 5b 80 60 56 a7 64 21 3e 27 e7 09 b0 32 70 7e 45 c2 f4 88 49 68 02 d3 06 53 a0 b0 88 c6 2a d2 f1 df 48 21 52 c8 13 75 00 49 f0 90 7c 84 e2 df 44 8a 24 2b b0 60 f4 19 62 a3 91 8d a6 fa b4 45 dc a2 7e a6 bf b3 0f 86 bb 0f 38 c4 b8 d9 bf bc a9 82 68 45 b7 0c 72 23 28 e2 bb d5 9f f6 b0 a2 c1 16 37 9b 70 c2 2d 91 09 50 07 57 d6 55 09 38 95 d3 07 b5 ce ca a7 96 2c 04 3a b1 b7 3a dc c9 f3 34 82 da fd 56 11 d4 07 c1 54 b2 08 d1 6f ae 58 3f 76 49 d8 6d be e6 b5 d3 46 1e 5d e5 40 70 4e 56 fe ab 8d 67 e2 e7 e9 f7
                                                                                                                                                                                                                                                                        Data Ascii: Y-AmE`:*|tcVjsOLEpLikT`e\06_}m;[`Vd!>'2p~EIhS*H!RuI|D$+`bE~8hEr#(7p-PWU8,::4VToX?vImF]@pNVg
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 5b e9 d9 88 51 38 2b 38 71 0f 11 b2 27 2f 44 7f 60 60 8d 72 a4 62 c5 2a 5c ac 25 5e 3f 6d 8f eb 87 2d c5 18 ef 66 85 57 aa 78 15 50 c4 bb f0 5d 23 ae 65 44 1d 14 30 54 7c 8a e6 cb d3 fa 0e 22 ab 72 24 19 73 c0 a7 17 0b bc 47 5a 02 7c 7c 63 82 4d e1 a9 f0 18 15 f8 3f 8c 25 61 18 f8 dc 21 3c 8a db 59 be fd de f9 ea 0e 6c a1 e7 cc 44 86 43 4d 9e 05 3d 8b 7b 6e 0b bd 78 45 8d ab 6c b2 e2 b3 38 95 92 af f9 1d 96 9c 8a dd cf 0e cd 7a 23 27 92 1b 6d bf 42 d4 54 fc 4e 89 83 aa f6 b9 70 14 72 32 b7 3c 81 29 56 b4 f1 ab 7d 70 e1 40 4f 94 51 05 f8 86 45 91 68 44 5b 42 42 3d ef 38 93 68 3f 8e 52 be ad 3e f6 61 5f 53 d4 23 b4 37 5d 8c 45 ba 5d c8 95 27 56 e0 3d ec 9c 74 dd 39 43 e3 87 88 ae cb 0a 89 09 db e0 67 39 ec 65 48 0c fa 71 59 85 7c 33 50 a6 61 43 d3 15 55 b5
                                                                                                                                                                                                                                                                        Data Ascii: [Q8+8q'/D``rb*\%^?m-fWxP]#eD0T|"r$sGZ||cM?%a!<YlDCM={nxEl8z#'mBTNpr2<)V}p@OQEhD[BB=8h?R>a_S#7]E]'V=t9Cg9eHqY|3PaCU
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 95 5a f8 21 2b c6 53 b1 27 a2 9b ad 52 c5 f4 bf e4 f4 40 fb 48 02 4e ad ad 7b 11 51 e6 13 2a ee 68 e4 0b ee 68 1d 51 63 86 b0 9d 04 a0 36 8f 32 1b f3 8d fa a4 92 a5 b0 73 7b ae 9b e1 89 e1 69 12 b1 82 63 1a 90 4a ae 46 19 24 10 6e ce 20 32 33 a4 46 9a 6d 5d e2 64 95 52 a2 6b 77 b6 95 07 38 b5 a2 e6 8d 0b af d6 24 fc df e9 eb 20 d6 ba 78 c4 ac 63 9c 22 b9 0c 82 73 c1 1b b0 6b 47 d7 7b ed d3 9c 8c 51 e9 dc 1e a2 b8 b9 71 42 04 5f ba fd fb f2 d8 42 cc 38 4d 0f ed b2 52 4f 31 29 1a 3a 19 f6 a3 d3 ee 4a 3f 46 d2 81 51 b5 77 ae 08 6c b0 4b 37 2e aa 90 5e 23 ce a2 29 6b 1b a7 2d 88 c7 68 94 79 13 4d e8 51 92 a0 22 05 8d ef 04 3e 96 43 c8 e9 ee d4 e9 91 b1 9e e0 fb 30 06 76 54 62 de a1 51 91 50 5c 17 01 d5 17 ed 3a 2e c3 4e f9 7d d0 0f 25 70 62 9b bc be 29 b2 ef
                                                                                                                                                                                                                                                                        Data Ascii: Z!+S'R@HN{Q*hhQc62s{icJF$n 23Fm]dRkw8$ xc"skG{QqB_B8MRO1):J?FQwlK7.^#)k-hyMQ">C0vTbQP\:.N}%pb)
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC16384INData Raw: 73 a3 f9 16 bd 2d b9 47 66 8f 40 af 07 9b db 84 3b d8 d4 2b 1c 29 7a 2e f3 35 e3 c2 e7 42 75 a5 41 e9 b1 48 d4 fa 48 b2 7a f5 4d 39 4b a9 82 55 57 1a e8 b9 7b de 2e c7 6c de 57 cf de 92 f5 e8 f0 d5 6e 12 bb c9 31 b6 32 6a 69 24 d8 69 21 33 af cc c2 5c fd c6 c6 20 09 57 8c e9 c1 d5 84 6e bb 60 d1 83 82 c7 da 8b f3 05 cc fe 0a 69 d3 e6 91 4c 3d ab 56 93 5b f4 58 5c 69 84 a5 0c eb 41 c6 61 95 6e 88 65 41 60 af 27 b8 2d fc d4 79 61 ec 84 fb ec 8b 8f 50 0e b2 d6 d2 18 83 af 21 61 0a 7b b3 58 2d 91 7a 34 ee 95 98 6a 33 a8 7a f0 02 dc 61 56 f3 ee 00 c8 91 57 51 41 fc f3 dd 14 99 2e a6 07 0e b3 30 5f 1f bb 1a ef 6b b1 f0 a7 d9 cc 46 6d d9 11 73 50 26 76 db a5 25 cc 82 f2 0a b5 2f 73 9e 81 e4 f4 ab 99 02 0b e4 73 e0 b8 28 46 84 d8 d8 e4 bc 41 f8 12 95 5d cf a2 d8
                                                                                                                                                                                                                                                                        Data Ascii: s-Gf@;+)z.5BuAHHzM9KUW{.lWn12ji$i!3\ Wn`iL=V[X\iAaneA`'-yaP!a{X-z4j3zaVWQA.0_kFmsP&v%/ss(FA]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        5192.168.2.84973113.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:51 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=30c82597-9c84-4489-895a-c306fe08576d&tr=33&tt=17324433474242351&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:45 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:44 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 1869
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:45 UTC1869INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 34 38 38 32 34 36 31 33 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 62 33 62 37 33 37 31 30 2d 38 38 39 63 2d 34 34 36 37 2d 62 32 36 34 2d 37 61 31 64 30 66 65 66 38 66 37 32 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 34 38 38 32 34 36 31 33 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 64 31 35 64 65 66 35 61 2d 65 66 62 34 2d 34 33 30 33 2d 39 38 63 39 2d 63 66 36 32 35 30 31 61 32 34 64 39 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 61 36 66 37 35 30 30
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434048824613","r":33},"m":[{"a":"2","f":0,"i":"b3b73710-889c-4467-b264-7a1d0fef8f72","p":{"t":"17324434048824613","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"d15def5a-efb4-4303-98c9-cf62501a24d9","d":{"CommandId":"a6f7500


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        6192.168.2.84973013.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:15:51 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1525893c-da1a-47f1-9090-c6703d359f6f&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:15:52 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:15:52 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 35 32 31 37 39 31 35 36 30 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324433521791560]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        7192.168.2.84973913.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:36 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3baba941-f261-496a-b933-9bd308fa7c86&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:37 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:37 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:37 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 39 37 32 31 31 34 39 38 37 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324433972114987]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        8192.168.2.84974113.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:39 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=bbab8eac-80d9-4b85-82f6-9bd41fbab092&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:40 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:40 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 55
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:40 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        9192.168.2.84976213.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:47 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=625c342a-f58d-4894-88a7-0f12a73d0e0b&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        10192.168.2.84976113.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:47 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c6b49c3-4df6-4101-91fb-684d4f16fd73&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:48 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:47 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:48 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 30 37 39 38 37 33 39 34 32 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434079873942]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        11192.168.2.84978013.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b5482b4-128a-47b8-9bcd-b0f99b563300&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:54 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        12192.168.2.84978213.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ff2dd1d9-885a-46fe-8e7f-5a540ad227d3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:54 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:54 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 31 34 35 32 34 36 34 38 31 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434145246481]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        13192.168.2.84978913.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:16:57 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=392754e5-9d09-4f5e-8c18-73d91936b641&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:16:57 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:16:57 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 45
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:16:57 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 30 34 38 38 32 34 36 31 33 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434048824613","r":33},"m":[]}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        14192.168.2.84980013.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:00 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9e43bce9-1db6-46f2-9171-f572e6753fbc&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:00 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:00 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:00 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 30 32 38 31 34 31 39 33 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434202814193]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        15192.168.2.84980113.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:00 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=958b96e4-e399-41e9-8d58-0d1deb75a616&tr=33&tt=17324434048824613&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:01 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:00 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 1864
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:01 UTC1181INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 32 30 30 34 36 31 32 34 30 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 30 39 36 30 61 34 30 63 2d 39 34 66 30 2d 34 30 66 61 2d 61 31 64 35 2d 36 30 61 32 31 33 62 63 33 34 65 64 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 32 30 30 34 36 31 32 34 30 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 64 31 35 64 65 66 35 61 2d 65 66 62 34 2d 34 33 30 33 2d 39 38 63 39 2d 63 66 36 32 35 30 31 61 32 34 64 39 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 38 33 32 63 33 61 38
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434200461240","r":33},"m":[{"a":"2","f":0,"i":"0960a40c-94f0-40fa-a1d5-60a213bc34ed","p":{"t":"17324434200461240","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"d15def5a-efb4-4303-98c9-cf62501a24d9","d":{"CommandId":"832c3a8
                                                                                                                                                                                                                                                                        2024-11-24 10:17:01 UTC683INData Raw: 65 63 6b 73 75 6d 22 3a 22 34 34 31 35 66 32 66 63 31 33 35 38 39 62 31 39 61 30 39 62 62 64 64 30 39 31 63 34 66 36 66 37 33 33 65 64 61 38 35 64 22 2c 22 53 69 67 6e 61 74 75 72 65 22 3a 22 6a 51 31 39 62 2f 64 66 74 46 35 30 73 57 39 33 30 33 74 6f 6a 72 48 77 73 39 38 66 52 77 73 6a 7a 59 75 70 4c 38 69 77 2f 31 58 64 34 44 4a 6e 6e 61 34 69 35 49 6f 54 71 50 79 32 4d 70 64 4a 34 62 4d 76 55 58 73 30 61 36 55 38 63 72 6c 47 5a 63 52 5a 5c 75 30 30 32 42 47 51 62 5a 32 50 44 44 50 68 71 5c 75 30 30 32 42 35 6a 2f 79 6d 43 39 4f 42 49 45 49 47 57 50 46 42 65 77 72 45 2f 64 70 54 53 6c 63 37 4c 56 4f 6c 52 37 59 48 30 4e 77 54 41 6b 52 30 6f 55 39 66 37 5a 76 66 6b 34 5c 75 30 30 32 42 6e 62 4a 30 51 69 47 54 46 7a 6a 71 78 46 2f 58 4e 31 47 47 53 41 4d
                                                                                                                                                                                                                                                                        Data Ascii: ecksum":"4415f2fc13589b19a09bbdd091c4f6f733eda85d","Signature":"jQ19b/dftF50sW9303tojrHws98fRwsjzYupL8iw/1Xd4DJnna4i5IoTqPy2MpdJ4bMvUXs0a6U8crlGZcRZ\u002BGQbZ2PDDPhq\u002B5j/ymC9OBIEIGWPFBewrE/dpTSlc7LVOlR7YH0NwTAkR0oU9f7Zvfk4\u002BnbJ0QiGTFzjqxF/XN1GGSAM


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        16192.168.2.84981013.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:03 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e7ba127d-faea-46b0-8bfc-b1b2fcc38621&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:03 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:03 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:03 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 33 37 31 35 35 30 33 36 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434237155036]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        17192.168.2.84981113.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:03 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85c15caa-37cb-46fd-a6ee-c8729985b9f4&tr=33&tt=17324434200461240&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        18192.168.2.84981913.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:06 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=04a73581-89d2-414b-b671-e3efd26147f3&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:06 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:06 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:06 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        19192.168.2.84982613.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:08 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=28ed73a9-9db5-44d7-acaf-721c9a49ce4c&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:09 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:08 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:09 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 32 38 38 30 37 37 36 35 38 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434288077658]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        20192.168.2.84983213.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:09 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d3ae8ae-040f-464c-8cba-7d2785f40888&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:09 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:09 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 55
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 29
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:09 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        21192.168.2.84984613.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:13 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b2f45ce-12e9-4161-ad72-09f2e15b84d0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:14 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:13 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:14 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 33 38 37 39 37 36 31 39 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434338797619]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        22192.168.2.84984513.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:13 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=da1cc509-7766-41b3-99b4-204f1ef88690&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:14 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:14 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:14 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        23192.168.2.84985713.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:16 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1b1043f4-4037-4343-9561-1316ef9829bf&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:17 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:16 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 55
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:17 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        24192.168.2.84985913.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:16 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ccc99601-6851-4238-90a7-17abb94d8a97&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:17 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:17 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 45
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:17 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 32 30 30 34 36 31 32 34 30 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434200461240","r":33},"m":[]}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        25192.168.2.84987013.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:20 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=75a7f166-9092-405a-aa00-38a9a77e5eae&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:20 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:20 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:20 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 30 35 31 36 38 31 36 34 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434405168164]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        26192.168.2.84986713.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:22 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a3aed830-4538-4a0c-8880-b4e93ae94626&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:22 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:22 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:22 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        27192.168.2.84989213.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:25 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d88a8beb-580c-4eae-be4b-b07e69debebd&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:26 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:25 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:26 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 35 39 31 37 30 33 34 32 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434459170342]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        28192.168.2.84990713.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1043b6b4-24c3-4b2c-8715-05fa1152bb8e&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC323INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:29 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 55
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 12
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                        29192.168.2.84990513.232.67.1994431240C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=deedb6f3-d7ab-40dc-bc11-0b1184a6d22a&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:29 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:29 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        30192.168.2.84992013.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad76688-4452-435a-8518-58b2eaee9c6b&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:32 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 32 34 38 35 30 39 33 30 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434524850930]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        31192.168.2.84991913.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b7f434f-4e93-4de1-96e0-b290421338b8&tt=0&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:32 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 45
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:32 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 33 38 39 33 36 36 32 38 33 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434389366283","r":33},"m":[]}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        32192.168.2.84993113.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f81232c-ba3d-448d-ad5c-71e3d13e104d&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:35 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 55
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        33192.168.2.84993213.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/d15def5a-efb4-4303-98c9-cf62501a24d9/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=be00bfee-7c6d-496b-a7d0-fdd77a8acffb&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:35 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 74
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                        Age: 0
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:35 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                        Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        34192.168.2.84994113.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f2b2651c-4fd7-4f48-bd8b-32fdf2d1d2f4&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:38 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Content-Length: 19
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 38 33 31 35 34 34 38 33 5d
                                                                                                                                                                                                                                                                        Data Ascii: [17324434583154483]


                                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                        35192.168.2.84994313.232.67.199443
                                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/d15def5a-efb4-4303-98c9-cf62501a24d9/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=df88223c-6673-43b9-8836-8487bfe2f07f&tr=33&tt=17324434389366283&uuid=d15def5a-efb4-4303-98c9-cf62501a24d9 HTTP/1.1
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                                                                                        Host: ps.pndsn.com
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                        Date: Sun, 24 Nov 2024 10:17:38 GMT
                                                                                                                                                                                                                                                                        Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                        Content-Length: 1884
                                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                                        Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                        Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                        Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                        2024-11-24 10:17:38 UTC1884INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 35 34 34 39 30 32 37 30 30 22 2c 22 72 22 3a 33 33 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 66 31 63 37 62 34 30 35 2d 63 64 61 38 2d 34 64 38 37 2d 61 30 66 62 2d 39 38 62 61 63 61 37 66 63 65 34 64 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 35 34 34 39 30 32 37 30 30 22 2c 22 72 22 3a 34 31 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 64 31 35 64 65 66 35 61 2d 65 66 62 34 2d 34 33 30 33 2d 39 38 63 39 2d 63 66 36 32 35 30 31 61 32 34 64 39 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 31 62 62 65 36 37 63
                                                                                                                                                                                                                                                                        Data Ascii: {"t":{"t":"17324434544902700","r":33},"m":[{"a":"2","f":0,"i":"f1c7b405-cda8-4d87-a0fb-98baca7fce4d","p":{"t":"17324434544902700","r":41},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"d15def5a-efb4-4303-98c9-cf62501a24d9","d":{"CommandId":"1bbe67c


                                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                                        Start time:05:15:22
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\file_66efd0132ceed.msi"
                                                                                                                                                                                                                                                                        Imagebase:0x7ff685ca0000
                                                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                                        Start time:05:15:22
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                        Imagebase:0x7ff685ca0000
                                                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                                                        Start time:05:15:23
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 799218A43054AFC7292CF5EAEECA0917
                                                                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                                                        Start time:05:15:23
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIF0D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7205156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1510037632.000000000467A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                                                        Start time:05:15:24
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIF626.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7206484 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1573091251.00000000052F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1519110832.0000000004F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.1573091251.0000000005251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                                                        Start time:05:15:30
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIC7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7212171 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1576149195.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                                                        Start time:05:15:30
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3732F891DB04E80DEAE37B187BFD9D4C E Global\MSI0000
                                                                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                                                        Start time:05:15:30
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                        Imagebase:0x5d0000
                                                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                                                        Start time:05:15:30
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                                                        Start time:05:15:31
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                        Imagebase:0x60000
                                                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                                                        Start time:05:15:31
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                        Imagebase:0xa70000
                                                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                                                        Start time:05:15:31
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                                                        Start time:05:15:32
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="veronicacc@ilsamexico.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LzG3lIAF" /AgentId="d15def5a-efb4-4303-98c9-cf62501a24d9"
                                                                                                                                                                                                                                                                        Imagebase:0x2d237900000
                                                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654311802.000002D237E20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D239779000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D2397A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D23986C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1653744614.000002D237B50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1661102655.00007FFB4AA14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1653828668.000002D237BE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D2397A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1653828668.000002D237B72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1653828668.000002D237B93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1659794326.000002D2521C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.1596425409.000002D237902000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D23977C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1655114941.000002D251DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1653744614.000002D237B5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D2397AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D239822000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1659217969.000002D252140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D2397B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1654484016.000002D2396F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                                                        Start time:05:15:37
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\SIHClient.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\sihclient.exe /cv sXgXgx6V+U2s/Rk0DSIwWw.0.2
                                                                                                                                                                                                                                                                        Imagebase:0x7ff65b420000
                                                                                                                                                                                                                                                                        File size:380'720 bytes
                                                                                                                                                                                                                                                                        MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                                                        Start time:05:15:37
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                        Imagebase:0x1f37dd40000
                                                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DE50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2751509797.000001F37F4A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DE58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DE6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2740367594.000001F30006B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2749688656.000001F37EF26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746710890.000001F37DE20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DE8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2740367594.000001F300266000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DED6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746603171.000001F37DDF0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2754779314.000001F37F838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2751509797.000001F37F310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2737668426.000000B9A8CF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2746936823.000001F37DF0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.2740367594.000001F300001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                                                        Start time:05:15:38
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                        Imagebase:0x7ff65aab0000
                                                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                                                        Start time:05:15:38
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                                                        Start time:05:15:38
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI2EE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7220984 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1722067056.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1722067056.0000000004B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000003.1664054226.0000000004911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                                                        Start time:05:15:55
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "eac8115e-5d3a-4a50-9055-1d945ab05897" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                                                                                                                                                                                                                                                                        Imagebase:0x20ddc6c0000
                                                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1862731418.0000020DDCB50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1861693967.0000020DDC8A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1863198951.0000020DDD293000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1861693967.0000020DDC8B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1861693967.0000020DDC860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1863198951.0000020DDD283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1861693967.0000020DDC8EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1862662097.0000020DDCB32000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000000.1829319959.0000020DDC6C2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1863198951.0000020DDD211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                                                        Start time:05:15:55
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                                                        Start time:05:15:59
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                                                                                        Imagebase:0x7ff747940000
                                                                                                                                                                                                                                                                        File size:468'120 bytes
                                                                                                                                                                                                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                                                        Start time:05:16:00
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                                                        Start time:05:16:44
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "a6f75002-7e52-4050-bf2e-b05386661724" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                                                                                                                                                                                                                                                                        Imagebase:0x258cbc00000
                                                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350356744.00000258CC663000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBDB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350356744.00000258CC627000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBDB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350356744.00000258CC5E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBDF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350210321.00000258CC0A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350356744.00000258CC653000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBDCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBE35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2349386857.00000258CBDEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2350356744.00000258CC69F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                                                        Start time:05:16:44
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                                                        Start time:05:17:00
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" d15def5a-efb4-4303-98c9-cf62501a24d9 "832c3a8d-c1ac-4e47-a5dd-e5330b8175f2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LzG3lIAF
                                                                                                                                                                                                                                                                        Imagebase:0x2917dcd0000
                                                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2509242907.0000029100073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511482424.000002917DF5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511482424.000002917DED0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511482424.000002917DF0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2509242907.00000291000BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511409806.000002917DEB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511482424.000002917DEEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2511482424.000002917DED9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2509242907.0000029100083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2509242907.0000029100001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2509242907.0000029100047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                                                        Start time:05:17:00
                                                                                                                                                                                                                                                                        Start date:24/11/2024
                                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                                          Function 06C52764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9313426058b1e91f07bdc4a7b4828597a30b7cceb5eedd387fe0343d057e329b
                                                                                                                                                                                                                                                                          • Instruction ID: 985d47b0f52d19fac5106788332f71627d39ac2a46e07c6716a149dc0dccdcee
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9313426058b1e91f07bdc4a7b4828597a30b7cceb5eedd387fe0343d057e329b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE06570C05205CFC790EF79D841199BFF5BF1920072146AEC459C7210F736864BCB91
                                                                                                                                                                                                                                                                          Function 06C51080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0e3d9e0ae1f11af86711bcc4160d1bde69633f7e2fb9c4581718acb062d211b2
                                                                                                                                                                                                                                                                          • Instruction ID: 03db453a50d973ddcacdc5bf7e0c76355e5b186dfac7d361057681faab375ed9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e3d9e0ae1f11af86711bcc4160d1bde69633f7e2fb9c4581718acb062d211b2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E71D735B002049FEB44ABB5CC5876EB7A7AFC8210F198129E906DB360DF34DD42D795
                                                                                                                                                                                                                                                                          Function 06C523B8 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4e7f766bcf78ce1c987a6a7ccc1cbff45ad3d0d6905c13f0905deacaf4145889
                                                                                                                                                                                                                                                                          • Instruction ID: 39d8535ff2f140c1cb41a290de0b28555a0182cbcacb2b994fbc6b36f29feb3d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e7f766bcf78ce1c987a6a7ccc1cbff45ad3d0d6905c13f0905deacaf4145889
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44512531B052118FC710CF68DC90A6ABBF5FF49304B2681AAD858DB362DB35DE85C791
                                                                                                                                                                                                                                                                          Function 06C51630 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 32a68d833166764fc0694ed12e6a88eb990e534cd495d1a0eb30819bce00d6d9
                                                                                                                                                                                                                                                                          • Instruction ID: 488af9925792d6af2daca8f4f34ba8f5719031f66cd084e393365c7ba988bf58
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32a68d833166764fc0694ed12e6a88eb990e534cd495d1a0eb30819bce00d6d9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1051EF35B012488FDB55DF78DC446AEBBA6EFC9240B18822AE815D7360DF309D52CBA1
                                                                                                                                                                                                                                                                          Function 06C50C1C Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0ace313d9317eb540b42942a61dc1cd886cb92dce374582441cabac36fcbbe78
                                                                                                                                                                                                                                                                          • Instruction ID: b6b4decd88c74e5a8a8fc176f86fff0f4c20f05e46467214249611f3e96c6080
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ace313d9317eb540b42942a61dc1cd886cb92dce374582441cabac36fcbbe78
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B513330B04244AFEB55AB68D8587AE7BB2EFC9310F19446ED846E7381CE384C49C7A1
                                                                                                                                                                                                                                                                          Function 06C52644 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: da566bfd23a77e9d13e2e8bb71a38b1f224702ca29d3e6106e7996ba2f846b5b
                                                                                                                                                                                                                                                                          • Instruction ID: 4f693e6569be4b48a593f94d118bdee0d6ebd750ff0c27d6739c1fb418b971b9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da566bfd23a77e9d13e2e8bb71a38b1f224702ca29d3e6106e7996ba2f846b5b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00314621B183544BF76A6B355C2436E3BDB8FC1600F05886EDC02C7382DD2C9E8A93A9
                                                                                                                                                                                                                                                                          Function 06C52268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: cc5ce6c5261a8ccde98a68f883b078fb08d9db938578a651d5c971a9c2dbb14a
                                                                                                                                                                                                                                                                          • Instruction ID: 2cceff256b190b1da34174cf42c3dac314e7babbb41cfff1c22e05069501d0a3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc5ce6c5261a8ccde98a68f883b078fb08d9db938578a651d5c971a9c2dbb14a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A341F635B101149FCB94DF68D88099EBBF6FB8D310B158169E905EB360DB31AD41CB94
                                                                                                                                                                                                                                                                          Function 06C52A98 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 78849f91363288f583e1e87eca021bc38cace920a4863af5df80532dcc7212d7
                                                                                                                                                                                                                                                                          • Instruction ID: 579ca1fa7ccaef2f47ebe70a233f82faff144c7f865a2230d38268437e91e8d5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78849f91363288f583e1e87eca021bc38cace920a4863af5df80532dcc7212d7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93216B21B193944FE76A6B359C503693FEB4F91600F06486EDC42C7382DE6C9E899379
                                                                                                                                                                                                                                                                          Function 06C51050 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 56aee989639595b66af9b7e2ac8d4e629e72b5ad250ee7b75a1ac37ca1d1e71f
                                                                                                                                                                                                                                                                          • Instruction ID: c147ce5d540ba89c60d456425bce588afb12f8c8b6674b95e61f908461c427f4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56aee989639595b66af9b7e2ac8d4e629e72b5ad250ee7b75a1ac37ca1d1e71f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A221F432A002649BEB50DF69CC987EBBBA6EFC4614F09446EC941D7240EF34CD8AC395
                                                                                                                                                                                                                                                                          Function 06C50D4C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6cdce8e6d2c2e0417c377d1705d582e3c637f78a2212e3e755fe0af0c935c6fd
                                                                                                                                                                                                                                                                          • Instruction ID: 135b4b993b231637de823c55a7990985bb65a682b47d65d10b9c72f9623fb118
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cdce8e6d2c2e0417c377d1705d582e3c637f78a2212e3e755fe0af0c935c6fd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB1159327043545FF315AB799864B6E3FA6DFC5611F04489EE609DB281DE259C08C3E5
                                                                                                                                                                                                                                                                          Function 06C52258 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9bca40a5355866fae0bbec5a07042d1d4cc77a2808fcd7c3e3b1c53d1a99f36b
                                                                                                                                                                                                                                                                          • Instruction ID: 187215d3e942ea596ec1af6216fbd58e6da47bc8bbef3e6ec78c0c5dc120a351
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9bca40a5355866fae0bbec5a07042d1d4cc77a2808fcd7c3e3b1c53d1a99f36b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1211A75E101189FCB94DF68D8809DEBBF6FF4C310B10812AE915E7360EB319945CB94
                                                                                                                                                                                                                                                                          Function 06C51958 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 41467cd12333f6f24e005f232b2bb124122b001f65fd08313193dab344c4b6a2
                                                                                                                                                                                                                                                                          • Instruction ID: 107f0f5380f9db8fc388e353dd6ab55b516cd6a46b3b2399a83b7da1bb5883fe
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41467cd12333f6f24e005f232b2bb124122b001f65fd08313193dab344c4b6a2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67217F31A00254AFDB05DF68E499AA9BFB6EF8C320F14481DE849A7341DB799C49CB90
                                                                                                                                                                                                                                                                          Function 06C51378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d89f99d4d5e24a3cf218df76148601da14bf8b6556ff8df0f0f576ff256bb00a
                                                                                                                                                                                                                                                                          • Instruction ID: db6fa5fb187861df5897cbb2c43bd3cc2b042dd61c2162a2ff873a2e48271b1e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d89f99d4d5e24a3cf218df76148601da14bf8b6556ff8df0f0f576ff256bb00a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A221F0B0D002498FDB14DFAAC884BEEBBF4FF88214F14852AD819A7240C7796945CFA1
                                                                                                                                                                                                                                                                          Function 06C51380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fa7ac01ea49a3cdbe40ea8841c55940f3e4676be254344e67612d8f48bd59bea
                                                                                                                                                                                                                                                                          • Instruction ID: ef8dedd39f4e6d82ab8a428be02a251b076aabe605b2b0b16e246a7bdb0bd372
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa7ac01ea49a3cdbe40ea8841c55940f3e4676be254344e67612d8f48bd59bea
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C11F4B4D002498FDB14DFAAC884B9EFBF4FF88314F548419D91967240C7796945CFA5
                                                                                                                                                                                                                                                                          Function 06C51968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 36975c4b550bf1fd2efed2f3acdc8d322065b1b54c6efdada2777115e34389cd
                                                                                                                                                                                                                                                                          • Instruction ID: a0b9117773b16c77b4115840ea32d5b1b131aae3dcf6dd20f71a3ee238200109
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36975c4b550bf1fd2efed2f3acdc8d322065b1b54c6efdada2777115e34389cd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04114271A00215BFD705DF58E459AAD7BB6EF8C310F14441DE809A7340CF795C45DB90
                                                                                                                                                                                                                                                                          Function 06C51440 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 239522eee6559570a6f7b5c2d0023bb8d1a308f48a3b73be149c1917c1359bfa
                                                                                                                                                                                                                                                                          • Instruction ID: 7f232a8457485bf07cb9dbbc1110cb5b74efac9032047c18f59eea38d422c48f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 239522eee6559570a6f7b5c2d0023bb8d1a308f48a3b73be149c1917c1359bfa
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD014C30A1A3456FDB0A9B786D3572A3FEADDC20057090D9EC949CF552EB258C04C3D1
                                                                                                                                                                                                                                                                          Function 06C51829 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 17b56c8162a56fd3b05ef6636ceb35cca033ff94261382fccc9bcccb1c7a0b4d
                                                                                                                                                                                                                                                                          • Instruction ID: c10036bb4db42ba3b5894f15dcacb59034f4fb5d867656759ccf08dfc2b373df
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17b56c8162a56fd3b05ef6636ceb35cca033ff94261382fccc9bcccb1c7a0b4d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D01A275B041049BE758AA689C597BF7AEB9B88300F26412ED901F3780DE750D44D7E6
                                                                                                                                                                                                                                                                          Function 0467D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1516088176.000000000467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0467D000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_467d000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5b81ad5e732c5ecdab34f0a27de964392bd2f1fb928fc80b04fb5c4d97e31cd1
                                                                                                                                                                                                                                                                          • Instruction ID: c898e61ade0408c4a2ad50d49d50a212caddec5fbf265bd9173445f027536fbd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b81ad5e732c5ecdab34f0a27de964392bd2f1fb928fc80b04fb5c4d97e31cd1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC01DB715043449FE7104E25DCC4B67BFD8EF51725F18C95AED494B282E379A842C7B1
                                                                                                                                                                                                                                                                          Function 0467D006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1516088176.000000000467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0467D000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_467d000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c23c209109462826552ddf5b432129a3bbca4f3da9664fceca8aa7f246eca316
                                                                                                                                                                                                                                                                          • Instruction ID: eed80e7fbf18ea784e81976bf8e7eacd85ee864e9e98b0a64f061a39e0b75e38
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c23c209109462826552ddf5b432129a3bbca4f3da9664fceca8aa7f246eca316
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B901717100E3C49FD7128B259C94B52BFB4DF53224F1D85DBD9888F2A3C2699849C772
                                                                                                                                                                                                                                                                          Function 06C52664 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: aa5323d3a95e7e01177620d533e1523ed2dec11f68eff75d50d327efb8cf7bcf
                                                                                                                                                                                                                                                                          • Instruction ID: 797537a3c431dd072605901e5ea83e4d762cce6b16c09289e4ddd268762273f8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa5323d3a95e7e01177620d533e1523ed2dec11f68eff75d50d327efb8cf7bcf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF02B36A0A3946FD341376878543997FE8DF42211F1648DBC995C7153E928894DC399
                                                                                                                                                                                                                                                                          Function 06C51431 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: acb74b568b465f6bc2f48b3edac007398a2d2c93993d7a45f7aca999eeccb566
                                                                                                                                                                                                                                                                          • Instruction ID: cb75c32b5e195f32e817b04442c48d3fe4196013678089802d507515625723d1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acb74b568b465f6bc2f48b3edac007398a2d2c93993d7a45f7aca999eeccb566
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F04634A01302AFDB0AAF78692432E3FD6EEC15143090C5EC985CF190EB248804C3D1
                                                                                                                                                                                                                                                                          Function 06C525D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 997a83eac03009aa3bf1e5454e021491e81cc23fe1e718934c9c30539164295c
                                                                                                                                                                                                                                                                          • Instruction ID: 0554ffec6d92885ddfe0b13275965ce6f73901a4fe2365b0fb7ec68755fff93d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 997a83eac03009aa3bf1e5454e021491e81cc23fe1e718934c9c30539164295c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5F0B437A101948BC71D9A78E4581EDBBB6EFD8210B30856ED893A7680EF754D1DCB50
                                                                                                                                                                                                                                                                          Function 06C52654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: aef1e90fd092c14ece0462c1681faa54e8117e304ed0ccf062f7f0232456472a
                                                                                                                                                                                                                                                                          • Instruction ID: 71cb95d26555965d932391c4dd71ad13a6c98468eb0c828ede0b2e3290457f5c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aef1e90fd092c14ece0462c1681faa54e8117e304ed0ccf062f7f0232456472a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22E06520B2431806EBA835695C10BA626CA4B80A04F02093EDC03C7682E9CCEBC423EA
                                                                                                                                                                                                                                                                          Function 06C525E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 15d5b2e6013c8ad324e7776dfe434293b14535e61eb7d6c80021138f19c9c54d
                                                                                                                                                                                                                                                                          • Instruction ID: 85a1207b605c6205dc97fe3db331d64f3c3feb539312b0b9a16890324e2a914d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15d5b2e6013c8ad324e7776dfe434293b14535e61eb7d6c80021138f19c9c54d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DE0E532F201588BCB489669E8545EDB7BAEBC8211B11803ADC13A3340EF741D09CB90
                                                                                                                                                                                                                                                                          Function 06C515C0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 00381027cc4909524a6c3b22973af7bcfb7d13c8f1e2bdcd54e037e75d439730
                                                                                                                                                                                                                                                                          • Instruction ID: aa29d87dec5ed72a95db9d7f3c645054693f6c5d2576450e059242b9cbd6368c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00381027cc4909524a6c3b22973af7bcfb7d13c8f1e2bdcd54e037e75d439730
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C2327003146F9714EAB99804A9E7BD9DE80061700446ED50EC7240EE35A8404394
                                                                                                                                                                                                                                                                          Function 06C52590 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 72f456f5e32b6e9e4baa69540138dd2bcc3ac621bab258f731110fc4f97a3637
                                                                                                                                                                                                                                                                          • Instruction ID: 2146b1972bf6c1cde6175f057ce223d223400354c88711dbe7006f05e7238a12
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72f456f5e32b6e9e4baa69540138dd2bcc3ac621bab258f731110fc4f97a3637
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BE046301093604FE316ABB8E8401887BA1EE815043864D9EC091CB253EF24AD5E8392
                                                                                                                                                                                                                                                                          Function 06C517F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: de95b4178869bf4c7e76b5a0111bba7e7c35cdf6b5a1fcf8e06c5d67b81ee6f4
                                                                                                                                                                                                                                                                          • Instruction ID: bf94a9f1d2a17e8c09d8c26eb11bd6209449ceab4129a6e145549d5d9fee40f3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de95b4178869bf4c7e76b5a0111bba7e7c35cdf6b5a1fcf8e06c5d67b81ee6f4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE02B3630D1D08FC3039F24E8500997F729F1A200314005BF8C1C7762DF214929C365
                                                                                                                                                                                                                                                                          Function 06C52A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9d193a70f6019a9e3bbe8a6978207e0315ce278366664692ba9b019729cfa777
                                                                                                                                                                                                                                                                          • Instruction ID: f966c4a5b4acd06b2f42e16ae1c1989e1a8a7327478c24d823c8ecadca893619
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d193a70f6019a9e3bbe8a6978207e0315ce278366664692ba9b019729cfa777
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DE017B0D003099F8780EFB9894156ABBF8BB48204B1086AEC80DD7311FB369A42CBD1
                                                                                                                                                                                                                                                                          Function 06C52220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7112fc8107177eb20d166fddf09d2175c578b0274dc36ed531c4729ac17b6e61
                                                                                                                                                                                                                                                                          • Instruction ID: 7cc3beea93edd243bb75ad5dd2e20560a80134099a86f0488062ebce6d7eb5da
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7112fc8107177eb20d166fddf09d2175c578b0274dc36ed531c4729ac17b6e61
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5D01230AD130C19F7D835A16C1E77A32CC5B40724F57005DEE1C59AD1DDA965D4D19D
                                                                                                                                                                                                                                                                          Function 06C50C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 235202d2bc419a4fd0440ca492133369afbe56572ea702d8c32282fd2baa7c7f
                                                                                                                                                                                                                                                                          • Instruction ID: ef1dc4055f807f5bae4eb05ce71f8fc74d1e194507e69ce81ab643057aa54a3d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 235202d2bc419a4fd0440ca492133369afbe56572ea702d8c32282fd2baa7c7f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD0A7323101186FA2557615EC49A6E7B99E7852613514427FD01D3310DE617C5483DB
                                                                                                                                                                                                                                                                          Function 06C521F5 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3152896a92dc76789666a5f19337636ef813b6a730d94e6ff92b05823625492a
                                                                                                                                                                                                                                                                          • Instruction ID: 129a7116323d0e755fa1a18879447cff381e515688ceae155a995d880a876a51
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3152896a92dc76789666a5f19337636ef813b6a730d94e6ff92b05823625492a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CE0123401F7C4AEC79747388824611BFA0AF0721575900DEC9858F493C61B459AC716
                                                                                                                                                                                                                                                                          Function 06C50440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a78ad2dc6642fd59d76bf08f973bfa83f9229bdf85a067cb5e07e8b59839b722
                                                                                                                                                                                                                                                                          • Instruction ID: 99e59db173685eccbd170319a1903a3a86e709d70cd1c957d066667a414c6ed4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a78ad2dc6642fd59d76bf08f973bfa83f9229bdf85a067cb5e07e8b59839b722
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47D0122150D7D05FD31286640C944EA6F60A93320479D079AC480CA512F2194A9FD3A2
                                                                                                                                                                                                                                                                          Function 06C52C37 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1515461536.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fe69446f8e6e5dea376ae10b3d4333dbc8341919fd986b5c409b0146795a7836
                                                                                                                                                                                                                                                                          • Instruction ID: bf7f27a77258582e2f855ba016f0c157506be24e5d928210a32f870fd9f94147
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe69446f8e6e5dea376ae10b3d4333dbc8341919fd986b5c409b0146795a7836
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12C08C1214C3D49DC323A2B02C247E57F880B1202AF0E00EB9A888B0E3C4098098A372

                                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                                          Function 052071D0 Relevance: 2.3, Strings: 1, Instructions: 1069COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571168908.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5200000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: |k.t
                                                                                                                                                                                                                                                                          • API String ID: 0-406870256
                                                                                                                                                                                                                                                                          • Opcode ID: 900427c3aea1fba02ba681bd5b98ab6bb1d307317018bea05feaf97dccb1fd66
                                                                                                                                                                                                                                                                          • Instruction ID: f80985713aeaf7fdec9072e09992722e7305e33d9193d8987c29d31d49e314e5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 900427c3aea1fba02ba681bd5b98ab6bb1d307317018bea05feaf97dccb1fd66
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01925D34711215CFDB15DF69C484A6ABBF2FF88701F1994A9E4469B3A2DB70EC41CB90
                                                                                                                                                                                                                                                                          Function 05200040 Relevance: .5, Instructions: 471COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571168908.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5200000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b0105733ba2305b5ebe1730009db11890b434d134874fe6a94c751f6cc1234c9
                                                                                                                                                                                                                                                                          • Instruction ID: 5822a592fd9587ca9aeee9ccfa79ea3ab3034e34af4f35105c87ac4cc06fb379
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0105733ba2305b5ebe1730009db11890b434d134874fe6a94c751f6cc1234c9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1226030A2061ACFDB15DF74C84469DBBB2FF89300F5192A9E849BB251EF74E985CB50
                                                                                                                                                                                                                                                                          Function 0512B688 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: l;5t$?5t
                                                                                                                                                                                                                                                                          • API String ID: 0-2531769935
                                                                                                                                                                                                                                                                          • Opcode ID: e1ac9be04fcb8f8061eddc6ec56ee54fda4cc4fa2a1397842d8b73c3e185583e
                                                                                                                                                                                                                                                                          • Instruction ID: 9f37bd7449ee6d954c27f1b11b8fcabaebe1c7e5fd18493f0847b4faf9cb1bd8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1ac9be04fcb8f8061eddc6ec56ee54fda4cc4fa2a1397842d8b73c3e185583e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D61E579B082264BE718EB6AC850B7FB7E7BFC4640B14802AD805D7794EF34DC1297A1
                                                                                                                                                                                                                                                                          Function 051285C0 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                          • Opcode ID: 4d5a099d005663035262dc19e2127d1200d8d8fbccb4e4f77ec1e5b59f03c880
                                                                                                                                                                                                                                                                          • Instruction ID: 49a6affd4b93f247dda62e66ed00cc74789175ff614fc0702abd6f8bde3f986b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d5a099d005663035262dc19e2127d1200d8d8fbccb4e4f77ec1e5b59f03c880
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00029834A007159FDB24DF29C484A6ABBF2FF88314B25C669D45A9B761DB30FC52CB90
                                                                                                                                                                                                                                                                          Function 05126C20 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: |75t
                                                                                                                                                                                                                                                                          • API String ID: 0-3570418878
                                                                                                                                                                                                                                                                          • Opcode ID: 63f055e423e95c7a47c916e69cd01b34bc70e5942f01821c63a576cd2349e9f7
                                                                                                                                                                                                                                                                          • Instruction ID: 9a591acbe083ffbc39f558a85da7e92d8c973119bbc7d3d5e8e238439183385a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63f055e423e95c7a47c916e69cd01b34bc70e5942f01821c63a576cd2349e9f7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25C1CE34B002258FDB28DB69D850A6EBBF3FFC8610B248469E4469B395DF34EC41CB95
                                                                                                                                                                                                                                                                          Function 05209FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05209FF8
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571168908.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5200000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                                                          • Opcode ID: 3abf13283b3fd639d6833f98676f37b3b2d5fe48d59af3094a8c704bced8b651
                                                                                                                                                                                                                                                                          • Instruction ID: bcb5ca75f7b9aa60837bf9ad25d7fa3e23d817f32d171bdbf60a41b6a3f12a1f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3abf13283b3fd639d6833f98676f37b3b2d5fe48d59af3094a8c704bced8b651
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83113A35B22309DBDB20CA38E4447EEB7A3FF88364F548129D516532D1EB329848CB50
                                                                                                                                                                                                                                                                          Function 05209FD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05209FF8
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571168908.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5200000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                                                          • Opcode ID: 570e62e08fa66e3c90e8aa5af6f524a84def587cecc4799e62e5b6a2bfcdf4d6
                                                                                                                                                                                                                                                                          • Instruction ID: 045a29318d3b1c81d577ccfcbb480e884abc2744781c9d6d4df692fbac66e32a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 570e62e08fa66e3c90e8aa5af6f524a84def587cecc4799e62e5b6a2bfcdf4d6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5115636A233499FDB21CA34D4543EE7BB3FF48364F549568C916632D2EB36A849CB10
                                                                                                                                                                                                                                                                          Function 0512BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: Qm^
                                                                                                                                                                                                                                                                          • API String ID: 0-3826623905
                                                                                                                                                                                                                                                                          • Opcode ID: e4d5739dc7dc1b96eef824e0760e7f881c9878d1d6266e4968e556179dd0d8f4
                                                                                                                                                                                                                                                                          • Instruction ID: 7fe9cf10e153954ccdf282df12c2055d50ef52f2a9d64f72a437a078be527c85
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4d5739dc7dc1b96eef824e0760e7f881c9878d1d6266e4968e556179dd0d8f4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5B17838700711DFDB16DF39D58496EBBF2BF88600B048669E9068B365EB30EC42CB91
                                                                                                                                                                                                                                                                          Function 0512BE33 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: Qm^
                                                                                                                                                                                                                                                                          • API String ID: 0-3826623905
                                                                                                                                                                                                                                                                          • Opcode ID: 78fc402448a71b6a5bd5e17602e9e70cb91639c80cd484fcaec22d7fae53d66e
                                                                                                                                                                                                                                                                          • Instruction ID: 039883c313c920c4e262c56f335af966540482a66964df06102755b9e8641f03
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78fc402448a71b6a5bd5e17602e9e70cb91639c80cd484fcaec22d7fae53d66e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E718978B00311DFDB05DF39D484A6EBBF2BF88200B048669E9568B355EB34EC46CB91
                                                                                                                                                                                                                                                                          Function 0512BE30 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: Qm^
                                                                                                                                                                                                                                                                          • API String ID: 0-3826623905
                                                                                                                                                                                                                                                                          • Opcode ID: 9ab485ce4661afd32a3a43717d4973b5ec4f4fc589ffe884f712aba2a24e3040
                                                                                                                                                                                                                                                                          • Instruction ID: e041dc80c558c38c6e7c5837dea6bb8a15c019d3cff1a1f477936f8c56db4fb9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab485ce4661afd32a3a43717d4973b5ec4f4fc589ffe884f712aba2a24e3040
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20716838B00311DFDB16DF34D48496EBBF2BF88601B048669E95A9B355EB34EC46CB91
                                                                                                                                                                                                                                                                          Function 0512E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: L<5t
                                                                                                                                                                                                                                                                          • API String ID: 0-682513406
                                                                                                                                                                                                                                                                          • Opcode ID: 0916f342f0ba2b0625827d8ed6b4c89cf790392031c2a4b0e9647a792dd7f23a
                                                                                                                                                                                                                                                                          • Instruction ID: 5990cfd238f43c59c70c02626174bf292d15076b47a712a29ca2a605a5bc8503
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0916f342f0ba2b0625827d8ed6b4c89cf790392031c2a4b0e9647a792dd7f23a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5617030B002149FDF58EB65D599A7EBBFBBF88601B20852DE406EB394DF709C118B91
                                                                                                                                                                                                                                                                          Function 05126BF1 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: |75t
                                                                                                                                                                                                                                                                          • API String ID: 0-3570418878
                                                                                                                                                                                                                                                                          • Opcode ID: d538d72fd0f9c863a13e6783326af07fc350846134d61c356d411c9d97d618b4
                                                                                                                                                                                                                                                                          • Instruction ID: 8b558626167d81902c42658325104cf80f347cf1bf34ad67d65abba6013f71b3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d538d72fd0f9c863a13e6783326af07fc350846134d61c356d411c9d97d618b4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2519B35B002298FCB15DB69C984AAEBBF2FFC8210F148169E445EB395DB30ED418B90
                                                                                                                                                                                                                                                                          Function 0512EA88 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: T;5t
                                                                                                                                                                                                                                                                          • API String ID: 0-3092003339
                                                                                                                                                                                                                                                                          • Opcode ID: 61ac5e8382fdc647e6231b4709352120b0c8ec35379fafb7f6bcaee0080293b7
                                                                                                                                                                                                                                                                          • Instruction ID: 2611189a0369894952b9d569a9712a4951f677bbd58b21bf22466b32ec93ff32
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61ac5e8382fdc647e6231b4709352120b0c8ec35379fafb7f6bcaee0080293b7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D31DC35B002154FDB18DA7AD4949BEBBABFFC86117144529E506CB390EF31DC068BA5
                                                                                                                                                                                                                                                                          Function 0512E7C7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: L<5t
                                                                                                                                                                                                                                                                          • API String ID: 0-682513406
                                                                                                                                                                                                                                                                          • Opcode ID: ae474097a959572de6eeb3dce2629159faef0b3587ddf743718d839b99b87dcd
                                                                                                                                                                                                                                                                          • Instruction ID: fb9b204403ccf58327e6bf12094b6960129ae2ead7fb24c57457c9464ff71c20
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae474097a959572de6eeb3dce2629159faef0b3587ddf743718d839b99b87dcd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6418231B102149BDB15DB79D494A7EBBFBBFC8600B20852DE406EB380DF719D158BA1
                                                                                                                                                                                                                                                                          Function 05120C1C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: TRIBPROP
                                                                                                                                                                                                                                                                          • API String ID: 0-3000990980
                                                                                                                                                                                                                                                                          • Opcode ID: 95a4a5693017645da461c509773ae421d48c0ed83156f66fb664a63d5ad12d21
                                                                                                                                                                                                                                                                          • Instruction ID: 3918b6476c19d7daf1288af52923c07300beffe354884935ee1194580099b841
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a4a5693017645da461c509773ae421d48c0ed83156f66fb664a63d5ad12d21
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A631F630B483545BEB29E778986837E3BF7ABCA200F14446AD502EB382CF794C05C791
                                                                                                                                                                                                                                                                          Function 0512AAA7 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: m
                                                                                                                                                                                                                                                                          • API String ID: 0-3775001192
                                                                                                                                                                                                                                                                          • Opcode ID: f1a6dc369ecd5f490b5c88c3c1228f661feede3ff62d3ed189b41ad98e9a4564
                                                                                                                                                                                                                                                                          • Instruction ID: 2dbb951645acb52b26951fd9b785be09745976aca2afbb82c05dd063da63da98
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1a6dc369ecd5f490b5c88c3c1228f661feede3ff62d3ed189b41ad98e9a4564
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65219F34E043588FDB05DFA8D494AAD7FB2FF8A610F4041DAD441AB351DB346A45CB82
                                                                                                                                                                                                                                                                          Function 0512182B Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: TRIBPROP
                                                                                                                                                                                                                                                                          • API String ID: 0-3000990980
                                                                                                                                                                                                                                                                          • Opcode ID: bc981f4a81132f556bf587a77c28918ddcea0a4a04910d7c5a7cf4ead867bb79
                                                                                                                                                                                                                                                                          • Instruction ID: 949f05fd1912f2260ccebf761ef697d7a231092eb6e80741fdfd58fa7f15a33a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc981f4a81132f556bf587a77c28918ddcea0a4a04910d7c5a7cf4ead867bb79
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C901AD71B00228A7EB18AA68C8997AF7AB6ABC8700F1541299102F3781CF754D41CBD1
                                                                                                                                                                                                                                                                          Function 0512E3EB Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: C8
                                                                                                                                                                                                                                                                          • API String ID: 0-816706217
                                                                                                                                                                                                                                                                          • Opcode ID: f900b4068971fd1fc0cc394dcea828504304fa5a0dd7770161147e977e8787c2
                                                                                                                                                                                                                                                                          • Instruction ID: 51592f81879c16135b0eaabf15080f9dce1eca467c7d3e34e23c6ad56f9b0dc3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f900b4068971fd1fc0cc394dcea828504304fa5a0dd7770161147e977e8787c2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C01D1367103204FDB15DA58E884BBE73B7FBC4611F54855ADA016B384DB746D068BC5
                                                                                                                                                                                                                                                                          Function 0512E36A Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: C8
                                                                                                                                                                                                                                                                          • API String ID: 0-816706217
                                                                                                                                                                                                                                                                          • Opcode ID: 0536167d1a8ca821525f01b0e568e138162c02820a4de82861880dc2d1b48db7
                                                                                                                                                                                                                                                                          • Instruction ID: 6afc717b06135b6f97374837a77201b41932e0309b5545ced08eafa34b5f71e1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0536167d1a8ca821525f01b0e568e138162c02820a4de82861880dc2d1b48db7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7F0FF367103204BCF15965898406BD7367FBC4A21F5985AADA016B380EF74AC0287D0
                                                                                                                                                                                                                                                                          Function 0512EA75 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: T;5t
                                                                                                                                                                                                                                                                          • API String ID: 0-3092003339
                                                                                                                                                                                                                                                                          • Opcode ID: c704ac050be9650c356dfb360ed5e9ef9b3e05b9b5b88694e672da7b3e4f02bd
                                                                                                                                                                                                                                                                          • Instruction ID: 053a0ab0b212bda611bfc9bd63cf3253c313ade529129029a5694d26f2106fb4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c704ac050be9650c356dfb360ed5e9ef9b3e05b9b5b88694e672da7b3e4f02bd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F02E3A3092400FC74647BD54504BDAFB7AFC981135A04ABD049CB3A2CD5A8D0B4762
                                                                                                                                                                                                                                                                          Function 0512746A Relevance: .9, Instructions: 911COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b7ee801f2cdbfeb48b42ff741dbac635014f01edf084dda4880599d854aae52e
                                                                                                                                                                                                                                                                          • Instruction ID: a59d5a9fbd2a746ce2ca16900d0dbc49d53d16a09aa16abfd3f735662e66f2a3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7ee801f2cdbfeb48b42ff741dbac635014f01edf084dda4880599d854aae52e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAA2D634900228DFEB269F60D854BEDBBB2BF8A701F1045E9D5096B290DF359E85DF81
                                                                                                                                                                                                                                                                          Function 051274C0 Relevance: .9, Instructions: 867COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e2f9a4708758f1747fadec9acb1a124cc108a36472b513188350a1d5fcedee62
                                                                                                                                                                                                                                                                          • Instruction ID: 97b3aa6fcfdf8243e0c1d2f847f54c36a01818ab6ac59215c1409d909fdf014a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2f9a4708758f1747fadec9acb1a124cc108a36472b513188350a1d5fcedee62
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B492C234900228DFEB269F61D854BEEBBB2BF89701F1045E9D5096B290DF319E85DF81
                                                                                                                                                                                                                                                                          Function 051299B8 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 520968e7ebf169a396cd73e9ad4076d4a45d463d7a15572b5471ba78db434191
                                                                                                                                                                                                                                                                          • Instruction ID: 853d2a86b76b08a7ed6f2e315528dcf46668c198937c7e1c8d32f1ac590942a6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 520968e7ebf169a396cd73e9ad4076d4a45d463d7a15572b5471ba78db434191
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FF14C34A043698FDB05DFA8C884A9DBBF2FF89300F158195D849AB395DB74ED85CB90
                                                                                                                                                                                                                                                                          Function 0512E1F0 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b19cfea3dbe0a9d3334fdd1812a478934c64a4bbdb6949c372ffa8ade977c2f5
                                                                                                                                                                                                                                                                          • Instruction ID: a79a4e329e14d41b01ff4c9edd5b9375a9a7ec100093264da02c295a37b4733d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b19cfea3dbe0a9d3334fdd1812a478934c64a4bbdb6949c372ffa8ade977c2f5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CC16F74B10225DFDB18DFA5D594ABEBBB6BF88200F148129D802EB394EF749C41CB91
                                                                                                                                                                                                                                                                          Function 051299A8 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4f215d36c0800bd5e3b2dbc97ac4ed60b1b6a512d0131e745de2309641728e6f
                                                                                                                                                                                                                                                                          • Instruction ID: fa67494d11626894cdffeb88140de728b805664ad2f63b7cdaffe85292ffb7d7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f215d36c0800bd5e3b2dbc97ac4ed60b1b6a512d0131e745de2309641728e6f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACD10C34A003698FDB15CF68C988A9DBBF2FF89300F158195D809AB395DB74ED95CB50
                                                                                                                                                                                                                                                                          Function 0512B9F8 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f6e192ec2d9b1490a8cf4c1c7c390f25e9a143cdf4fd9734b48108e65f66baca
                                                                                                                                                                                                                                                                          • Instruction ID: 9654cfefca062ed1575d1752d36a196955375612e76b47604a97eeb2f5cbc16e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6e192ec2d9b1490a8cf4c1c7c390f25e9a143cdf4fd9734b48108e65f66baca
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5181C136B082248FDB14DFB9E4546AE77E6FF84650B1480AAE90ADB390EF34DD1187D1
                                                                                                                                                                                                                                                                          Function 05121080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a4a573ff8ff79517d5f582bd613d2bdbe330b06829110dd56745d73aad96b5d0
                                                                                                                                                                                                                                                                          • Instruction ID: de82fafb8cc44812e08b6b1d232f8a96f5489682f2d61c59f570f7be3baf8f8c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4a573ff8ff79517d5f582bd613d2bdbe330b06829110dd56745d73aad96b5d0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B771B335B002249FDB19DBB5D858BAEB7E7BFC8610F158069E506AB390DF359C12CB90
                                                                                                                                                                                                                                                                          Function 051257B8 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 472f0717a7d269e0468008d0db6b738b0f6ac627c09866cce8853d1569262ded
                                                                                                                                                                                                                                                                          • Instruction ID: 34df2d16dfd04c9102dcc05a1373bff59523663167c83464d1567ea6a0f114a5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 472f0717a7d269e0468008d0db6b738b0f6ac627c09866cce8853d1569262ded
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91519E7150E3C58FD7069B39DCA0A597FB1EF87205B1941EBC484CF1A7E628890ACB91
                                                                                                                                                                                                                                                                          Function 051268E0 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 40327381d386e6f38b9badcaa2730ee1ff72f056f8afc28067e1389692c1a961
                                                                                                                                                                                                                                                                          • Instruction ID: 6621b234527cc15147220551ecc5983f50d077f3818401084bff41ee209d61d6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40327381d386e6f38b9badcaa2730ee1ff72f056f8afc28067e1389692c1a961
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A614C3AB002159FCB01CF59D880EAABBF6FF8D310B1480A9E519DB361DB31E915CB90
                                                                                                                                                                                                                                                                          Function 0512ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f98cb8da10b47afb302b374fbd5b7c6aed84e9a8a33d0243c9a9850960546c43
                                                                                                                                                                                                                                                                          • Instruction ID: 6473a57f3634634999cf1cc7d2fb527073cab068c27d6c13995279fbfe42a708
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f98cb8da10b47afb302b374fbd5b7c6aed84e9a8a33d0243c9a9850960546c43
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11511738314121CFDB19DF29D49892977E7BFC9611B2984A9E00ACB371DFB0DC518B40
                                                                                                                                                                                                                                                                          Function 05126048 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9b754cfad8e268418989def8575552d54641baba2d75dd920276472d178e38f2
                                                                                                                                                                                                                                                                          • Instruction ID: 1f0d5b7bf2c2abb1d301aa6b4a9ce46efaa2b2c45898041ca422faf6a4fef97e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b754cfad8e268418989def8575552d54641baba2d75dd920276472d178e38f2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72712939A00308AFEB05EBE8D4A0B9EBBB3EF88701F104069D1467B790DF395D459B65
                                                                                                                                                                                                                                                                          Function 05121630 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 757531c528c90a078c8b78a4df69306b1a1d586a032bc260241a5b26a603720a
                                                                                                                                                                                                                                                                          • Instruction ID: b41f51d165c8b1a87488a52a615d335b5c6ae4f2587c51f0685b2c1290a30dd7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 757531c528c90a078c8b78a4df69306b1a1d586a032bc260241a5b26a603720a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B251BD35B01319AFCB14EF78D844AAEBBB6EFC9250B14816AD905D7350DB309D22CBA0
                                                                                                                                                                                                                                                                          Function 05124EC0 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4a73f213a9beb68d8948aa32c55d7cfd3b958f35f37b477fa9a56e466a85c735
                                                                                                                                                                                                                                                                          • Instruction ID: 26db5ffde4fbec5aeff8824421a78352ee7434376f4de033fbb5a66241e8b9de
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a73f213a9beb68d8948aa32c55d7cfd3b958f35f37b477fa9a56e466a85c735
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4541BD347043548FDB09EF69C85066EB7A6FFC9641B61859AD4098F389DF34DC0287E6
                                                                                                                                                                                                                                                                          Function 05125482 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9ffa6a40c546fe445c2d8e05e38d9dfd26a81d49564a550e7b6ef04284ad052c
                                                                                                                                                                                                                                                                          • Instruction ID: 129cc37d19a5882cee72d68bf57a050050885c51d39676f100547319ad8a6b00
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ffa6a40c546fe445c2d8e05e38d9dfd26a81d49564a550e7b6ef04284ad052c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3510579A00309AFEF06EFA4E8946AEBB73FF88202F514419E5067B394CF351941DB65
                                                                                                                                                                                                                                                                          Function 0512C4D8 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 98da960837867730c4e7720a67aeb125841d505977486331212edb38c2fec80d
                                                                                                                                                                                                                                                                          • Instruction ID: f0bbbde01076ce2118482982e61b4105df4c3f711bdccacd1bc176888d80656b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98da960837867730c4e7720a67aeb125841d505977486331212edb38c2fec80d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0451D0313047519FD326DB24D498A6ABBE3BFC5604B08C669D54A8B392DF74EC42CB90
                                                                                                                                                                                                                                                                          Function 051234A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7d4c25b52d49800d6cac277b5aa632522cf31899c010c157cd62ec3d424e007f
                                                                                                                                                                                                                                                                          • Instruction ID: db5b8482d7ad52fa4238cabb8e1378a89c4bb1f7cd1923c55dff928034483af9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d4c25b52d49800d6cac277b5aa632522cf31899c010c157cd62ec3d424e007f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9851CA383013169FCB05EB28E99056EB7A3FFC45117008669D915DF348EF75AE0A8BD1
                                                                                                                                                                                                                                                                          Function 051234B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 290e449b937c97f975af4efb2c11f826854830269ee9ac15742f9d5dddeefa44
                                                                                                                                                                                                                                                                          • Instruction ID: 7d26cba797ace3dda1631ed8b32440217943a5ba36d93aa11122496f9e2bcf08
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 290e449b937c97f975af4efb2c11f826854830269ee9ac15742f9d5dddeefa44
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1751C8783013169FCB05EF28E59056EB7A3FFC46017008669D9169F348EF75AE0A8BD1
                                                                                                                                                                                                                                                                          Function 05125490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 21b8e462b817636308e601491dd2a0a2340b627ce31da2ce3e84c9cf1d565003
                                                                                                                                                                                                                                                                          • Instruction ID: bfb764288f70cbe608071e62648204e51aa4b64589061a3b661594e8c9a4a2ba
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21b8e462b817636308e601491dd2a0a2340b627ce31da2ce3e84c9cf1d565003
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE51F578A00309AFDF06EFA4E8946AEBB73FF88602F514419E5067B394CF351941DB65
                                                                                                                                                                                                                                                                          Function 051230EC Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 89858dd4ec5d5a21972c5c9d2b02aca155e67bff0033297f46147166261ae3ce
                                                                                                                                                                                                                                                                          • Instruction ID: 95cbd1bac545e78f9d37c6b69e1017b819e7fe59bb6e0c00d10c01811b110fb0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89858dd4ec5d5a21972c5c9d2b02aca155e67bff0033297f46147166261ae3ce
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9841F274B043249FEB19EB78A85877E7AA7FBC5600F14886DE416CB385DF389D018790
                                                                                                                                                                                                                                                                          Function 0512A228 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b0319ec5cf53a5975ade2c5429babf776374d61e4416ab16aa6a98eececf6fe3
                                                                                                                                                                                                                                                                          • Instruction ID: d0f7b50b4cf2445130f2e5dc0855e1c38f25b591435b879a25f3364050380bc1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0319ec5cf53a5975ade2c5429babf776374d61e4416ab16aa6a98eececf6fe3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3941F634B042549FE719CF65C884B9EBBF2EF88600F248499E406AB381CF75ED42CB90
                                                                                                                                                                                                                                                                          Function 0512E428 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ab61613411bdd81c48ee8c222bbee5bbbd9fff2c4a74b372cb6f51db26404d71
                                                                                                                                                                                                                                                                          • Instruction ID: b34e56a75eff3ad92673fad10d99536f8d1a52ceb2f7663322de2eb69b43503b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab61613411bdd81c48ee8c222bbee5bbbd9fff2c4a74b372cb6f51db26404d71
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44415074B102249FDB19DF75D854ABEBBB6BF88600F104529E816AB394EF749C01CB91
                                                                                                                                                                                                                                                                          Function 0512E438 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 974397c03c4ad2427e97b85541ce461b56aadd52c577f9691e4aaded49ed0cbd
                                                                                                                                                                                                                                                                          • Instruction ID: 96ac03a87c318be41c0e6cc9da4fba0d2645e3b73a7903f74f34bd5f8e857c79
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 974397c03c4ad2427e97b85541ce461b56aadd52c577f9691e4aaded49ed0cbd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02414D74B102259FDB19DF65D854ABEBBB6BF88600F108129E806AB394EF749C11CB91
                                                                                                                                                                                                                                                                          Function 0512B4F7 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 03f819af97073ff164d2fe6cf36933cdaf013b9f53fdc4dfd229f74ceae4dd29
                                                                                                                                                                                                                                                                          • Instruction ID: 947ca09c9817ca9caa301a013031110551137214fda77f1211e05dab33ba9471
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03f819af97073ff164d2fe6cf36933cdaf013b9f53fdc4dfd229f74ceae4dd29
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4941C7359093609FE7129B74EC687A63F72FF82615F0980E7D480CB1E2DB34994AC796
                                                                                                                                                                                                                                                                          Function 051285B0 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4690880d2e26b45f9c6e6cef4b26429009b0f9d79c373d385b294dfa1761040b
                                                                                                                                                                                                                                                                          • Instruction ID: da4fd0fb84f3354b1a963c54b53f1bf0fb3714f21c62baf3df69f677573f19f5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4690880d2e26b45f9c6e6cef4b26429009b0f9d79c373d385b294dfa1761040b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02419938B006158FDB14DF69C084A6AF7F2FF88310B15C969D85AAB750CB30E851CB94
                                                                                                                                                                                                                                                                          Function 05122268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 14aaf433709edbe03fe179fa072305f86eb95c7f30eea0c59862a29f57671951
                                                                                                                                                                                                                                                                          • Instruction ID: e210bf4b6d71256743292d56cd397a07aed7a2a615d8e958ce12d640297f6399
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14aaf433709edbe03fe179fa072305f86eb95c7f30eea0c59862a29f57671951
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C741F779B002149FCB54DF68D88499EBBB6FF8C310B14816AE915EB360DB31ED51CB90
                                                                                                                                                                                                                                                                          Function 0512E1E0 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f64a00c87056eb58a0b973a0178e5a1cb8e9649e7a8c7cae516db4c7ab13546c
                                                                                                                                                                                                                                                                          • Instruction ID: bec4cb99f68738e2810f5aadae477660d7398a4417ba3088e3cb6058a229ab16
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f64a00c87056eb58a0b973a0178e5a1cb8e9649e7a8c7cae516db4c7ab13546c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7417B75E012599FCB14CFA8D5849EDBBB2FF89300F258169E802AB365DB30ED46CB40
                                                                                                                                                                                                                                                                          Function 0512F699 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 516a1a31e87e1cc1c73002f4042408c7c62c513ba613e3c0af1a779d2079301d
                                                                                                                                                                                                                                                                          • Instruction ID: 61e4deb7373b0f82f8322741f9a17eba54659562d2aba94b3cce3c3685904427
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 516a1a31e87e1cc1c73002f4042408c7c62c513ba613e3c0af1a779d2079301d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57419E357042658FCB15DF78D88897EBFF6BFC9201B04446AE446CB2A6DB309D06CB91
                                                                                                                                                                                                                                                                          Function 0512F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0f06bc3f719445c794fa4449c38f19b3b351587e4bb165c8c1f2494207818512
                                                                                                                                                                                                                                                                          • Instruction ID: e38fe571984a8bcf85bcb37bd5821e946a586e2359189b75ed01efe1fc8a3113
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f06bc3f719445c794fa4449c38f19b3b351587e4bb165c8c1f2494207818512
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1341BA307042658FCB15DB69D888A6EBFF6BFC9201B04446DE546CB3A6DB70EC46CB91
                                                                                                                                                                                                                                                                          Function 0512B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dbf62e2c65f9f0b57432749a2bdb9a98df4ed50e9f8edab31366c37eceb5cdd4
                                                                                                                                                                                                                                                                          • Instruction ID: f5939a33e4af24f0de6909be5f36b693bc258578fb772f8f992a81862f187e5c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbf62e2c65f9f0b57432749a2bdb9a98df4ed50e9f8edab31366c37eceb5cdd4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1231BC35B041158FDB14CAAAE884AAEF7BAFF88210B08C16AE519C7351DB30E8518B91
                                                                                                                                                                                                                                                                          Function 05124EB0 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2a76c79f1ac6c07b551acdeb23b8d179ee306e8f442156ae673162882246449d
                                                                                                                                                                                                                                                                          • Instruction ID: 49665aa34f8d08cd24f42d4ace22a9bf0eb607813ad35524bdb34c8c25079050
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a76c79f1ac6c07b551acdeb23b8d179ee306e8f442156ae673162882246449d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A33100357043598FCB05DF68C880BAABBB2FFC4205F1585AEE8448F256EB74D916CB91
                                                                                                                                                                                                                                                                          Function 0512C9A8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7b005a92c96f3a2f6b2e772b79883f6e2bd298b75a275dad2c868396d5858b53
                                                                                                                                                                                                                                                                          • Instruction ID: 6ef2777910670d0b16cd8fc50730446715bec3e911c5685841b001a043ebe725
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b005a92c96f3a2f6b2e772b79883f6e2bd298b75a275dad2c868396d5858b53
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B21BB6392D3E01FE7039B7898753D97F216F9295AF0A01D7C084CA1A3E618895D83EB
                                                                                                                                                                                                                                                                          Function 05124520 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 448a15d4807ee209a25d906c4ca254d4d6b936fd23057fa1e73f988ec441fd71
                                                                                                                                                                                                                                                                          • Instruction ID: 6ed2405d7c29610e83e2d2f7c8a102d1e667d1289c6d59b79fc07c796115ef73
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 448a15d4807ee209a25d906c4ca254d4d6b936fd23057fa1e73f988ec441fd71
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E21683A2083840FD713DB7CE9A06A93FB2EFC6511B0405AAD188DF352DF68DE058395
                                                                                                                                                                                                                                                                          Function 05123719 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fa6611434b27ada4b87173910646927567e163c963b24f2f267badefa82c5cb3
                                                                                                                                                                                                                                                                          • Instruction ID: c28fee3e49681904a0669430c826bbd5ab59b4a521963ea33fb76d1a851d05c1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa6611434b27ada4b87173910646927567e163c963b24f2f267badefa82c5cb3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C21F1B17042255FDF18DA24DC49B7F76EBFB84214F00492DE416D7284EF38D9108750
                                                                                                                                                                                                                                                                          Function 0512310C Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b10bf281caa5cedfda618e7ba3fd9f640a6e930b7d3cde1b1f0edeb2b8d3aa68
                                                                                                                                                                                                                                                                          • Instruction ID: 2bdc9c50e00b4e9a24a34a4c61a057a0a4e4dd6b247769c8edbc4092466eb2dd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b10bf281caa5cedfda618e7ba3fd9f640a6e930b7d3cde1b1f0edeb2b8d3aa68
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF2168327853387FDB1522A4B8587FA3E5AEF42321F004472E9189A252CB2CC865C7D0
                                                                                                                                                                                                                                                                          Function 0512C558 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a5485903c886ceb177c05afc574285b894d4bcd07e50d2fd28a30d45dabae916
                                                                                                                                                                                                                                                                          • Instruction ID: 862d5cb2eb937cd217a47cf4fa8d298384209a2f5bd9479c3ac3f1c19fb29bc3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5485903c886ceb177c05afc574285b894d4bcd07e50d2fd28a30d45dabae916
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9331C035200711CFD325DF24D498A66FBF2FF88214B18CA68E54A8B762DB34EC42CB80
                                                                                                                                                                                                                                                                          Function 051245C8 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: feb2e44ea3f788e0f0f860674a1cefcc6fe5345c9b6eb9499f273e5ad8de85fa
                                                                                                                                                                                                                                                                          • Instruction ID: 0089aa6156811fd2a63538e891c9a0c09c2a36bb9af0e71cba498b157482c6b7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: feb2e44ea3f788e0f0f860674a1cefcc6fe5345c9b6eb9499f273e5ad8de85fa
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B12122353002008FEB08DB6DE484A2E77E7EFC921175984A9E54ACB381DF64EC02C791
                                                                                                                                                                                                                                                                          Function 0512B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c5b2df600c03f87f58f05029329bbe430ffd29e0e345be67df1a5031622a85e8
                                                                                                                                                                                                                                                                          • Instruction ID: 94ee0b2d151528ceb52b8ea4524cf964a8ed4b1daeaac94959cccdf5ee1ec6fd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5b2df600c03f87f58f05029329bbe430ffd29e0e345be67df1a5031622a85e8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21D434B00328CFEB25DB75E848A7A77A7FB88302F10C075E9058B290DF319956CB90
                                                                                                                                                                                                                                                                          Function 05125F38 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 91544457f73b32a60768bc18603a781de76e5fd913da747fa5d5ea010e911a73
                                                                                                                                                                                                                                                                          • Instruction ID: 0535994f138fc1b46e983de0c5d6ffe1e480b783101fac10a51079ed7fb98728
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91544457f73b32a60768bc18603a781de76e5fd913da747fa5d5ea010e911a73
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB21CF34B00218DFDB199B69D499AAE7BF6FF8C611F15801AE802EB390DF749D018F95
                                                                                                                                                                                                                                                                          Function 0512B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f10548e36e0bc07f0171edeb7d80688e46f6d15f3bccefb605341773e5f38486
                                                                                                                                                                                                                                                                          • Instruction ID: 19a06339ab8e5246517b9706e0925b70819e74936a1bb10337b4dbaf7f4d8531
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f10548e36e0bc07f0171edeb7d80688e46f6d15f3bccefb605341773e5f38486
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70115E713082154FDB18DA2DD890E2AB3E6EFC9660714843EE94ADB745EF71EC118790
                                                                                                                                                                                                                                                                          Function 0512AF10 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0908c76d6f54cbfda83ef371c72951a587e2aa0d0137b112b43e19e5aa2f3c58
                                                                                                                                                                                                                                                                          • Instruction ID: 6dca9c19fe8d9721ce13479f2277511f38e8616d895a3aa7e2010c7717951bda
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0908c76d6f54cbfda83ef371c72951a587e2aa0d0137b112b43e19e5aa2f3c58
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3011A3353082154FA71496AEA494A6FB7EAEFC8565714803AF50EC7754EF68DC014350
                                                                                                                                                                                                                                                                          Function 051228F8 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 76de87e119e08fc8eccc65230a6c93c051f2967a53e6b1de7256728b242e703f
                                                                                                                                                                                                                                                                          • Instruction ID: 59353169f10bcce161359cca597eb93c29b73b68442871b855d1f0c82748bb63
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76de87e119e08fc8eccc65230a6c93c051f2967a53e6b1de7256728b242e703f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C117C6291A3905FE702EB38E9653D93F71AF93505F0A01E3C480CE1A3EA259D49C796
                                                                                                                                                                                                                                                                          Function 05125F48 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c9696120c40216b0218514b7cc9e45e7e4c5d6b4f01f1ed498b2d3c5b59672ee
                                                                                                                                                                                                                                                                          • Instruction ID: ce94cbf4093ec2182703df483714d49c4c727b341075d89bc983f1fa97078893
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9696120c40216b0218514b7cc9e45e7e4c5d6b4f01f1ed498b2d3c5b59672ee
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7219234B10214DFD718DB69C458AAEBBF7FB8C610F158059E502AB390DF705C018B95
                                                                                                                                                                                                                                                                          Function 05120D4C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c182b45ff8f276ddf0cc72a336758ba0cf0dbf1e92ac1f06b47ec5597d33adda
                                                                                                                                                                                                                                                                          • Instruction ID: bcfb9ebc6ce008a95dc775f0f6eb3d5d2e452321bd292824dfc36abb3a540a25
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c182b45ff8f276ddf0cc72a336758ba0cf0dbf1e92ac1f06b47ec5597d33adda
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A1106713093546FD3159779AC5076E3FAADFC6511F0484AEE60ACB281DE254C0487E5
                                                                                                                                                                                                                                                                          Function 051230FC Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 57f8b238592cf73cd9ed62f7fdd2fc2356c28190c7599d82cac2ca6ba86c8289
                                                                                                                                                                                                                                                                          • Instruction ID: 39743bcbdcaedff79e454d3ed3289e446b912de034938c60d8de7e2bb1815a1a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57f8b238592cf73cd9ed62f7fdd2fc2356c28190c7599d82cac2ca6ba86c8289
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA1166307183381BEB282275AC543BE6F9F8B82720F0048BAD851CB382CE9CCC1543E2
                                                                                                                                                                                                                                                                          Function 05125752 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 52a63ac6659e9efe23dfe396935fdaa92ec9edec29422d1b81f913b053fcc805
                                                                                                                                                                                                                                                                          • Instruction ID: 0bb2c6968658d69f4d645a9250c1b6c8fe7489c4f33ae248ea29bd627ea3c1b8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52a63ac6659e9efe23dfe396935fdaa92ec9edec29422d1b81f913b053fcc805
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8113A372043444FD722DB6CDD91B9A7BA6FFC6211F4A84AAD048DF242DB28DC058790
                                                                                                                                                                                                                                                                          Function 05123A29 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f8abee45a89e8b9127b61b032c018bf7c05b720e7647b5ae331fd9574cf6e1f8
                                                                                                                                                                                                                                                                          • Instruction ID: 99ba6f4f40ccfa2933d2b93113c66630b1c4fc10d9884e4eab565ff5838326f4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8abee45a89e8b9127b61b032c018bf7c05b720e7647b5ae331fd9574cf6e1f8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70216D79A40214AFDB14DB64D895AAEBBB3EF8C310F148028E409A7391CF799C56CB90
                                                                                                                                                                                                                                                                          Function 05123370 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 75760c9b64d093994801af634d54bda56147e84bd6d0081d0096765dcb9f4128
                                                                                                                                                                                                                                                                          • Instruction ID: 6ec4d59896cabc4c24984b861b1c996dc6820da0efeca1dde801ea487e980762
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75760c9b64d093994801af634d54bda56147e84bd6d0081d0096765dcb9f4128
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47119476B02204AFDB559B65A8455FF7ABBE788611B008029F905D7340DF344E029B90
                                                                                                                                                                                                                                                                          Function 05120F20 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7d772e98c4bbb639a47ab5d00bda3def0a5c21187fd18607a3aaa14dfc8d485c
                                                                                                                                                                                                                                                                          • Instruction ID: d45ff653c24a650098170e21929843f0fec9b3f5f65cd579ab4e74dc5bbf58ad
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d772e98c4bbb639a47ab5d00bda3def0a5c21187fd18607a3aaa14dfc8d485c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46016B75B8937037C72593796C9872F6F6A9BC5510F010866DD08C7302DB288C20C2E1
                                                                                                                                                                                                                                                                          Function 05122258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: edbd876c13d8bc389b5ba78c53af017e3454ecaefa3e423eaec332572498f0ce
                                                                                                                                                                                                                                                                          • Instruction ID: 0dff650dad9a88c2d02fed74f4296d5c160280ec051e3992a6d87c8b9aa9cde4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edbd876c13d8bc389b5ba78c53af017e3454ecaefa3e423eaec332572498f0ce
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA214A75E002189FCB54DF69D88499EBBF2FF4C710B10816AE915EB360EB319941CF90
                                                                                                                                                                                                                                                                          Function 05120F30 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 99500327b0bae3b490f04991f7bc8d4a2f1c673d034f40c4bd8bd2b1b1ccfef4
                                                                                                                                                                                                                                                                          • Instruction ID: 567757a136c3c24b8625059b13ab9e22ea7a96e06e71582388de65f7215ef55c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99500327b0bae3b490f04991f7bc8d4a2f1c673d034f40c4bd8bd2b1b1ccfef4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D20126357983185FCB16AB74A81132E3BB5EB41500F554D67D80DCB342DB19CC16C795
                                                                                                                                                                                                                                                                          Function 05123A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4db57408167397dd2e066101a9ad45bb74ee32d7378dbc974f56b9f0227bff85
                                                                                                                                                                                                                                                                          • Instruction ID: fe2b2cdc629822a03fa356fd0a0ac75a54e17d2698b137ae196ec6a36ecdc672
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db57408167397dd2e066101a9ad45bb74ee32d7378dbc974f56b9f0227bff85
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42116D78B40315AFDB14DB64D855AAEBBB3AFCC310F108028E409A7390CF799C56CB90
                                                                                                                                                                                                                                                                          Function 0512A219 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a4533540849d9f33153278f953ad914e65c6f3ad965e326b759e04dc2e8749d7
                                                                                                                                                                                                                                                                          • Instruction ID: 5e501374c9b2b452504c6f58ff6fb520234e89f1c9ec7df700b06c4951d0a44e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4533540849d9f33153278f953ad914e65c6f3ad965e326b759e04dc2e8749d7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD112935A042199BDB19CFA5C980BDEBBF2AF8C710F258455E805BB340CBB19E858F90
                                                                                                                                                                                                                                                                          Function 05121378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c974d82abb50a0f341cc874224e99dcff042a2a42da562cf98f8e7a3f4f2552d
                                                                                                                                                                                                                                                                          • Instruction ID: 9176a48078e6c3b8511b8143487b12d887664e21c4f011ddead5cdf155d66d75
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c974d82abb50a0f341cc874224e99dcff042a2a42da562cf98f8e7a3f4f2552d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D52113B0D002499FDB14DFAAC880BDEFBF4FF88224F14852AD519A7240C7796905CFA1
                                                                                                                                                                                                                                                                          Function 05123380 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1166eb510a9c593527ad6e6d33bf78287bc806ce9b825da0310bafb9a68ec166
                                                                                                                                                                                                                                                                          • Instruction ID: 48a1e60ad783adfa623e3c1ed817baa601542c571f24aa4c1a24a9a5db46b7a9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1166eb510a9c593527ad6e6d33bf78287bc806ce9b825da0310bafb9a68ec166
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6118279B02215AFDB55DF65A8489BF7EABFB88610B008029FA05D7380DF344D128B90
                                                                                                                                                                                                                                                                          Function 0512AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4872c1bd9f864f678c44f927762f68adf37bd26ea1091b2a328bbbeca412cf5d
                                                                                                                                                                                                                                                                          • Instruction ID: b397d4d4d481fca96e6006729d4657ce88c59acab63d78c8b056c27b93d357da
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4872c1bd9f864f678c44f927762f68adf37bd26ea1091b2a328bbbeca412cf5d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C021D678E00219DFCB04EFA8D590AAEBBF2FF89210F504499D405AB354DB74AE41CB91
                                                                                                                                                                                                                                                                          Function 0512674B Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 342410165a4667cf3500250f171b06cde96f7ecfecbba2eaa487b11db95489c9
                                                                                                                                                                                                                                                                          • Instruction ID: cccd2b3cd47c3613b3bad0f54be854f8e4f39686cc91dbf7f0b0541d0dfaa561
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 342410165a4667cf3500250f171b06cde96f7ecfecbba2eaa487b11db95489c9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF112035B01221CFCB10DB68E68466DF7E6FF84321B108A3AC0158B284DB31DC95CB80
                                                                                                                                                                                                                                                                          Function 05121380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6e48593d9ed11765a811b15e5e1dd29294eb9025fad87848617626b40e0a6be8
                                                                                                                                                                                                                                                                          • Instruction ID: 24d47d1ba0157af25100ff678ee377aaeb85f0b013ad664fc1678773781c3ab2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e48593d9ed11765a811b15e5e1dd29294eb9025fad87848617626b40e0a6be8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5111F474D042499FDB14DFAAC480B9EFBF4FF88224F10841AD55967240C7796905CFA1
                                                                                                                                                                                                                                                                          Function 05121968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0fdaf7fe474ea4303fb2cabbceacd2d53306a30cffcef4940ea5614b6a328f8b
                                                                                                                                                                                                                                                                          • Instruction ID: 26dc686db78cced5c5c49662c28f121e34cafd16c2bc78fa3691ea7a88032681
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fdaf7fe474ea4303fb2cabbceacd2d53306a30cffcef4940ea5614b6a328f8b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51115B79610204AFDB14CB64D959AAD7FB6EFCC324F104019E90AAB380CF795C4ACF90
                                                                                                                                                                                                                                                                          Function 05120F40 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 62e3ddc9c18fe7b469c555c7efe9673f4727d04a8b9c339b73be8fa1c6aef4a4
                                                                                                                                                                                                                                                                          • Instruction ID: c800e737d3d58432e1bccb61bfd551dfd2813a6b3880b8aeae7c890cd44aa024
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62e3ddc9c18fe7b469c555c7efe9673f4727d04a8b9c339b73be8fa1c6aef4a4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB0126382843089FE318D760EC5973E77A1FB80B10F948C59E54E8F6C2DB259861CB06
                                                                                                                                                                                                                                                                          Function 0512B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d4cba3ed6e10ab172c79b40f09361a3f77b6b66ab8bacccb340cd481799027b9
                                                                                                                                                                                                                                                                          • Instruction ID: 54878207b3c1708e32858f3ee62181e8b119a0fed03bd9e9e4a66633175baf54
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4cba3ed6e10ab172c79b40f09361a3f77b6b66ab8bacccb340cd481799027b9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C018C723492245FEB64CA59D8D0BABB7E9EFC8660B14803AA84DD7740DB35ED40C7A0
                                                                                                                                                                                                                                                                          Function 0512B070 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2d6fede1d55e6b5d920662595496e2934697082c18d80fe98196a32e72c9fc42
                                                                                                                                                                                                                                                                          • Instruction ID: bb9bee199b8d3b09042b4b5d68d9badd2784188fc4a416a9c661487405db7b33
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d6fede1d55e6b5d920662595496e2934697082c18d80fe98196a32e72c9fc42
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7EF0D1357042058BDB259A6AD884B9AF7FAFFC8250B08C239E51CD3340DB35E8468791
                                                                                                                                                                                                                                                                          Function 034ED006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1571707687.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_34ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 48f79c3f38c9627e437c05c9259cb63171e089284fc0f68788ded6052ce27cf4
                                                                                                                                                                                                                                                                          • Instruction ID: f1c2500a8962a34c2cef9e41d171fb2130a9845c3cf27f59bd64430b24f50757
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48f79c3f38c9627e437c05c9259cb63171e089284fc0f68788ded6052ce27cf4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6901ED7140D3C49FD7128B25C994B52BFA49F43229F1D81DBD9888F2A7C2699849C772
                                                                                                                                                                                                                                                                          Function 034ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1571707687.00000000034ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 034ED000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_34ed000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e4635fe1a115368c09109f9a295bb4e20f94504f3dd62347ddc21d7446c66693
                                                                                                                                                                                                                                                                          • Instruction ID: 2ebb7d878958d19fef1701198487c18d99337ceca82bb49db71e33422dda6fe9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4635fe1a115368c09109f9a295bb4e20f94504f3dd62347ddc21d7446c66693
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C401D4708043049EE7108A21CD80B67BB88DF4262BF1CC46BDC180E282C2799802C6B6
                                                                                                                                                                                                                                                                          Function 0512CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2d14fbc1800dd8167d96afdc3ca7469870a3cf80556ce868920255e604ab2f8a
                                                                                                                                                                                                                                                                          • Instruction ID: cf53c84dc454c676cafe239012306984ec7d3276cca3e1814ad666b638de4e20
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d14fbc1800dd8167d96afdc3ca7469870a3cf80556ce868920255e604ab2f8a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AF096363182245FA7044A5DAC98A2FB7E9FBC85A5354013AF509C3390DF71CC0187D0
                                                                                                                                                                                                                                                                          Function 051256C2 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: accb515bf9983f30e0a008244da619efa0a4b1def7c62ed8525ab7cf9bce2218
                                                                                                                                                                                                                                                                          • Instruction ID: c96887d9a9fa3b1b54b82545f6cf71d0982563baf10e1ecb0904e853edb4df95
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: accb515bf9983f30e0a008244da619efa0a4b1def7c62ed8525ab7cf9bce2218
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37F02636204300AFD713DBB5D88466E7AA6EBC0602B85452DD00A9F340DFB86D0947A1
                                                                                                                                                                                                                                                                          Function 051267E2 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9e32545c430e5bcdd6e8d8495270adc3341604434be1bf4ef23ff429ff67d48c
                                                                                                                                                                                                                                                                          • Instruction ID: 3803836ffd163fb21b617ea2a1fd111244ea86133b3984cf3777e2ebbc0e9e77
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e32545c430e5bcdd6e8d8495270adc3341604434be1bf4ef23ff429ff67d48c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26017139E00308EFCB05EFB8E5806AC7BB5EF84601F408199D508FB384EB355E448B44
                                                                                                                                                                                                                                                                          Function 0512CB7F Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d6d86b63b8274a0c7aa550e7211e9e9d1844b7407d34d9c549b8475ba2bbbe7d
                                                                                                                                                                                                                                                                          • Instruction ID: 74904590ff0b2cb68eee13006ea7fe9ad330fd08f83a76c9135c2b3fa2338aca
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6d86b63b8274a0c7aa550e7211e9e9d1844b7407d34d9c549b8475ba2bbbe7d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAF05E363082245FE7158A99ECD9BABB7AAFBC85A4B540139E509D3350DF75DC01C7D0
                                                                                                                                                                                                                                                                          Function 05121440 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3db2936a70e1e310ba36de5c7018585ead147138c30ac8bd105e320ee94f9fad
                                                                                                                                                                                                                                                                          • Instruction ID: e99dc391f6f30825e9ff282f04225dea83150660c9ebcc761d167b8aec51d226
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3db2936a70e1e310ba36de5c7018585ead147138c30ac8bd105e320ee94f9fad
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C01D178A193859FD709DB34997633E3FA6EFD210170408AAC549CF2A0EB298C09CBC1
                                                                                                                                                                                                                                                                          Function 0512858F Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0830dccb0eed54125b0b22c208332387bf11d2e3d5bb5efb8dc15f43e23b7a75
                                                                                                                                                                                                                                                                          • Instruction ID: 614194c8f1d1d091fc1d3e01b1328634a7a87e26713c685c425b68e14d3f83d2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0830dccb0eed54125b0b22c208332387bf11d2e3d5bb5efb8dc15f43e23b7a75
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0F6737003018FD71ADB64E894E6DBBA1FF98221F04816DE9469B3A1DB30ED50CB10
                                                                                                                                                                                                                                                                          Function 051256D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1772c10ecd13d8216d102cd52fdd6d9bc15af383f24306355d06c94b5b555b4d
                                                                                                                                                                                                                                                                          • Instruction ID: 137fcf691c64638407db132f710cb6297ecf67a738c7ebe9e0b41360273c5d2b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1772c10ecd13d8216d102cd52fdd6d9bc15af383f24306355d06c94b5b555b4d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F022363003009FD712EBB9D880A6EBAA7EFC0612781452DE10A9F344CFB96C0987A5
                                                                                                                                                                                                                                                                          Function 0512AF00 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 553575cd8cfe0ebea9ff262e52b92bda7163328146ec51cfb8c6336bc92372d4
                                                                                                                                                                                                                                                                          • Instruction ID: cd0ab45a65016bee69a6a2239bf590ac7b8716f8b25c80362f8a9a6c4a182933
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 553575cd8cfe0ebea9ff262e52b92bda7163328146ec51cfb8c6336bc92372d4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0A7767042191BD754555EA885B5BB7EAEFC8574B14C039F50DD3340EF68DC0543A0
                                                                                                                                                                                                                                                                          Function 051267F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7f2785328765272759747013db1258e449d6bc1d2bcce17e0fdee2c087b88175
                                                                                                                                                                                                                                                                          • Instruction ID: 367760d5578e56a52b2a42b6684841e9bf25a92e3231db2595baf07624e4490a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f2785328765272759747013db1258e449d6bc1d2bcce17e0fdee2c087b88175
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92011274E00308EFCB45EFB9E5849AD7BB5EF84602B508599D504AB244DB355E448B45
                                                                                                                                                                                                                                                                          Function 051268D1 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4c8760f35140419f15bc2bea2dc1a2b01fb07650f29af9adb9362732b478f6a3
                                                                                                                                                                                                                                                                          • Instruction ID: fdbc6e1c6f69847b8969839976fd6a979e4e1b1743bd18b8539baec8abf139cb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c8760f35140419f15bc2bea2dc1a2b01fb07650f29af9adb9362732b478f6a3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0F05E3B704115AFDB12CA59E841E89BBF9EB89210B0980A6E518DB351DB31DA15CB90
                                                                                                                                                                                                                                                                          Function 05121BB0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dd053c75dd6c7c77dd5afb021d66d750b414f08032ce60ae171f7ca043c667cc
                                                                                                                                                                                                                                                                          • Instruction ID: aa8b912cd7e32d1fbe951d6177b0b747707231e47f1e2d49e0cf282fc800f6d0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd053c75dd6c7c77dd5afb021d66d750b414f08032ce60ae171f7ca043c667cc
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92F0E939B4133027D72496669988B3B7B9ABBC4560F14013AEE0987201EB34CD21C9D0
                                                                                                                                                                                                                                                                          Function 0512C4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9210dd50d4170e72512ab980b919c55b88368cd224dfbbd6af0e2c110abc7f26
                                                                                                                                                                                                                                                                          • Instruction ID: b2824885ec341c4a528eeb3b394362aca08e44949dfdf76bbc6a7a7446056553
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9210dd50d4170e72512ab980b919c55b88368cd224dfbbd6af0e2c110abc7f26
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61F0AB3334432177D7369614D841BEE73EAEBC15A0F44063DE90A97640DFA5DD4083D1
                                                                                                                                                                                                                                                                          Function 05126038 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b8d5126f8ab91e61e47bdd32aa63b4aeb7810b1a58bd2e8e2466898764d2f029
                                                                                                                                                                                                                                                                          • Instruction ID: 787e5ca7f8ceda3a1af1585534b720bf687b46e5ba0242ecf52f6cf1f17c02df
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8d5126f8ab91e61e47bdd32aa63b4aeb7810b1a58bd2e8e2466898764d2f029
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99F0F032114B608BC3368B98E44478ABBF0FF81B19F04491CD08A47B91DBF9BA84C745
                                                                                                                                                                                                                                                                          Function 051245B8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f8da79adcc77daa766352922acf26fa662d4e320bf4aa72896b615dabb1a0585
                                                                                                                                                                                                                                                                          • Instruction ID: cc92b1ac06583a363564dd3832753e2e7258fc531a2117fc13a2d1423e17f273
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8da79adcc77daa766352922acf26fa662d4e320bf4aa72896b615dabb1a0585
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6F0A7353043054FDB21DF6CE950BAE3BE2AFC96117044569E549CF354DF61DC428B51
                                                                                                                                                                                                                                                                          Function 0512C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 82f1bdc8cd76862634ebdae7634029960e856b38dc6c07936a6d14fa7ed1bf59
                                                                                                                                                                                                                                                                          • Instruction ID: 213fff3483ad7f59b8a7d5240ad4dfb889f5e2ac09bc0f6f473e9be8b368afde
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82f1bdc8cd76862634ebdae7634029960e856b38dc6c07936a6d14fa7ed1bf59
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8F030357003225BD718D675E8405AAB3AAAF895A4708D5B9DA09C7310EBB1DC52C7D0
                                                                                                                                                                                                                                                                          Function 05121431 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c48044b88e61d447921b8a0a82b09c8ba5c032a862da9b89b03a83336dd080a9
                                                                                                                                                                                                                                                                          • Instruction ID: 9e7f1b7696b602ecabfd5bedce0f809394e3ca82e9358ca90d279c34a13fcb25
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48044b88e61d447921b8a0a82b09c8ba5c032a862da9b89b03a83336dd080a9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75F06DB9A153559FE708DB74AA2673E3FAABFD0541B04086DD94ACE150EF398C05CBC0
                                                                                                                                                                                                                                                                          Function 0512A369 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a56ae9b8020cdc8c03ad092614745fa09a2f4a21c08f0157917b154aa6805960
                                                                                                                                                                                                                                                                          • Instruction ID: bbb89ae80fd5c461850eb2229b660302e942d2306c47f7543f16009cbcc146fc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a56ae9b8020cdc8c03ad092614745fa09a2f4a21c08f0157917b154aa6805960
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEF0A0367082114FDB1A5A68C44431D7BA3AF84614F2881AEC44A9BB85DF3BDD438785
                                                                                                                                                                                                                                                                          Function 051238B0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d78f0593104e1abbdd5c950fde6baff7200abcc03317f32b48b300fbef4d5240
                                                                                                                                                                                                                                                                          • Instruction ID: ce54446b047079630c1499571791c0ec8f2d1c72d3908126a0421890ff674b1b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d78f0593104e1abbdd5c950fde6baff7200abcc03317f32b48b300fbef4d5240
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCE0922171823817FF2410A6A9447FAAECE9B82714F04083ACCA5CA686DBCCC96543E1
                                                                                                                                                                                                                                                                          Function 0512AB90 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f609a2bd7bcf28076a49bc82483c0fb9abe96967673da27460a2a657e0f0a050
                                                                                                                                                                                                                                                                          • Instruction ID: 024ff161df858ca12dcacc2d0d9e0ed3e22254253c823c5953d646e3133be234
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f609a2bd7bcf28076a49bc82483c0fb9abe96967673da27460a2a657e0f0a050
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19E022333042108BD7154A6AE8C9AA9BBEAEB88621B55407AF40AC73A1EF24CC058280
                                                                                                                                                                                                                                                                          Function 05124560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 14ce719462c8f1ec6ee35d91671fa375438585346e0227d77dda352f381641e1
                                                                                                                                                                                                                                                                          • Instruction ID: 92c294441ea229bd0b732180e24dd4a27942343fdb3eab242e45fd10339b7276
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14ce719462c8f1ec6ee35d91671fa375438585346e0227d77dda352f381641e1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAE0223E3007101B8617E66EE98082EBAAAEEC5962380443EE45D9F304DF78AC054799
                                                                                                                                                                                                                                                                          Function 051236A9 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0b982474c7625349c0c7b2186d0d389db795a6f423ae58e91947a5e62dcd6c73
                                                                                                                                                                                                                                                                          • Instruction ID: d7ba767f92ba623ccb079429fb8484a57b37bd8fdf77a62af08e32f2061e060e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b982474c7625349c0c7b2186d0d389db795a6f423ae58e91947a5e62dcd6c73
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8E09B72E042199F8F54DEE999412EDBBF5DA48110B154569C41DE3300F3399710CFD0
                                                                                                                                                                                                                                                                          Function 051246C8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 87974d50cd22e6d7bb1898f4962d63aae9dc5b3761261f56bb7e64ba1a39c1bd
                                                                                                                                                                                                                                                                          • Instruction ID: 0bff188c637213e5bd25080109e65cff34f8f5faf3c24df559928b84eef48e3f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87974d50cd22e6d7bb1898f4962d63aae9dc5b3761261f56bb7e64ba1a39c1bd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFF03075E0430CABCF14DFE4E459A9DBBB5AB54700F0081A9E414A3340EBB49A008B85
                                                                                                                                                                                                                                                                          Function 0512C1D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 172ff818114bd4f1cc415505be94c3eaba76583ca78eca967b55995810c734e8
                                                                                                                                                                                                                                                                          • Instruction ID: db9909a401dd45eb6bc0158c3bfe5f467d80a91e9b9cb5736fb2b12cf4f0364d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 172ff818114bd4f1cc415505be94c3eaba76583ca78eca967b55995810c734e8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FE0203620030027C615A658F5457DE3FE5F7C5765F04011DF84597740DF6969C3CB95
                                                                                                                                                                                                                                                                          Function 05123CFF Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 33456a6eee5589e319848dced0bd5ff607533201ca240ca4a16f0f58ca0d088b
                                                                                                                                                                                                                                                                          • Instruction ID: 5dec1e8e330a93ad7b3064fcdabc09fab9dca5de4f01b87a08ef453c38160295
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33456a6eee5589e319848dced0bd5ff607533201ca240ca4a16f0f58ca0d088b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CE02B7A80421CEFC712EFB4E9913AC7BB5E754601F9004DD9829E7250DB389B005741
                                                                                                                                                                                                                                                                          Function 0512C678 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4b92c4495872009d19c37a6b26661518f79555ad259f7d637f8276fd9c08ffc4
                                                                                                                                                                                                                                                                          • Instruction ID: 4de0a65f3a8defb62568a7bdf7e85634dc4949aafd5ae1ff8605aafc9b9cd0dc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b92c4495872009d19c37a6b26661518f79555ad259f7d637f8276fd9c08ffc4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFE0863B20431263D3155675D980696F7AEEB89158F08D665CA0896300EF79DC53C7E1
                                                                                                                                                                                                                                                                          Function 051236B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                          • Instruction ID: 5d8ada9327fd8d576e388f32e729916284d2791e0aa5217d673c011113974ae0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AE01270F0022ADF8F54EFA999005AEBBF9AF48140B108969C529E7200E3359B11CBD1
                                                                                                                                                                                                                                                                          Function 05123C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 79644b33f3078be714cfba2f9cbdcfcd91040d008f1cf9fc1a029f733fd7bb94
                                                                                                                                                                                                                                                                          • Instruction ID: 266242e8f4143fba3fc6fe44ec2a794df1e7dcdc1d04de63e5fa56d24d0fd7e2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79644b33f3078be714cfba2f9cbdcfcd91040d008f1cf9fc1a029f733fd7bb94
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37E0C23B38426453CB1911A9B5593F53766C7806A2F640CA6E10EE2300DB1DC1208790
                                                                                                                                                                                                                                                                          Function 05123CC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 097bcd18313b0e3f95a67e1edf9a0099f0c24efeab30a17b741d8da6bef5b622
                                                                                                                                                                                                                                                                          • Instruction ID: 4450cdc17747eb517222d12c6b2302ac28d1eb635df3c29ccb5b37b1ba0b7c87
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 097bcd18313b0e3f95a67e1edf9a0099f0c24efeab30a17b741d8da6bef5b622
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12E08C2F3841A01BC70712FC70662BDAB66DBC5963F090A6FE14AD7381CF1A894683C6
                                                                                                                                                                                                                                                                          Function 05126AAF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 54fc4f18eacd38cbdd891a0ace210193a6af140eef1f19c1d5a8e70430d42836
                                                                                                                                                                                                                                                                          • Instruction ID: 4b4c5fd99f4044ceaf7dbe7e25500e83f94defced9b9632a7150cce5a5485be0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54fc4f18eacd38cbdd891a0ace210193a6af140eef1f19c1d5a8e70430d42836
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7E09A353001448FD300CFACD980E92BBF1FB48200B1481A9E888CB392C725EE1ACB40
                                                                                                                                                                                                                                                                          Function 0512CAC0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dbf0207deaf88c74b7813bff5321fcfd8d83cc7ac8b545d1d2433799c08dffb9
                                                                                                                                                                                                                                                                          • Instruction ID: b23819808addd37285448eef692c048999ca900eca43a4f383ce5448a1b7c6b3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbf0207deaf88c74b7813bff5321fcfd8d83cc7ac8b545d1d2433799c08dffb9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AED05E224193A04BEA079B78A5E43C93F259F82619F0801D2C0859D493EA18998A8389
                                                                                                                                                                                                                                                                          Function 05126898 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 50a6885e444060a8a2eeafcb8a66e991310286b229cc8222c4518538d7e09b70
                                                                                                                                                                                                                                                                          • Instruction ID: 02efbc8fc93687008fd2904c903f24c3c3f6bdaea61777e31c51ac47e0d530bd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50a6885e444060a8a2eeafcb8a66e991310286b229cc8222c4518538d7e09b70
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BE08C322102109BC321862CF945BC2B7AAEB8932075482A5E008D6204DB34C982C780
                                                                                                                                                                                                                                                                          Function 0512C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 962c49140d8658abb359f1163feeee7ce171fe855804d46bf632778b58441ca3
                                                                                                                                                                                                                                                                          • Instruction ID: 47837c95f2357272b3b20bf849947d514a1504af6bd15a6bbef53dc7b18d48e3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 962c49140d8658abb359f1163feeee7ce171fe855804d46bf632778b58441ca3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E0C2352107045BC619BB59F0455AE7FEAFBC5B66B00042DE88687740CF717886CB95
                                                                                                                                                                                                                                                                          Function 05123CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 130f32987e3258cde4f88f0733a4106cbbe83c6998fa546ce1319d857909e1a2
                                                                                                                                                                                                                                                                          • Instruction ID: d940f1c2c9afed598fa31216fca531532bd37176cd9e8c69a4ce34de5dbda5a2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 130f32987e3258cde4f88f0733a4106cbbe83c6998fa546ce1319d857909e1a2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82D05E3E35417027060625AE741942E7AAEDAC5D72715002FF60AD7380DF554C458395
                                                                                                                                                                                                                                                                          Function 05122998 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3c3513df46a4f676c3885edd3c3c0eae4e030454c9378af061413e1e6f4f2759
                                                                                                                                                                                                                                                                          • Instruction ID: bba8501f3447a83132c57f82a90dff47bc630a5561396d9bb612b0e490953f45
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c3513df46a4f676c3885edd3c3c0eae4e030454c9378af061413e1e6f4f2759
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21E046366A23009BE301EB34FD0279A3762FB80A01F02466AE5018E184EB612D064BC5
                                                                                                                                                                                                                                                                          Function 05126AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8248800dbc01eabe4393a8801d711ecdf53849fc22cadf661bd6d64ebb9d254d
                                                                                                                                                                                                                                                                          • Instruction ID: b73280e5d7f1e561af9047a4fae497cdb87a8730d09f32f2768366f2033b72a9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8248800dbc01eabe4393a8801d711ecdf53849fc22cadf661bd6d64ebb9d254d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE0EC753042189FD314DF5CD980C91BBE9FF996543558099F948CB352DB22ED16CB90
                                                                                                                                                                                                                                                                          Function 051217F0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1d8fe98e2f73ea6453f246e6f41dc8eb671e1bd2230ee7a9092571f5cb403b27
                                                                                                                                                                                                                                                                          • Instruction ID: 638778f2a2c3a5dfa34305de97767275c036ccd281b52e787bd11ac85b4918e7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d8fe98e2f73ea6453f246e6f41dc8eb671e1bd2230ee7a9092571f5cb403b27
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CD05E362042149FC3049B25E84E7D97BBAE75C220F14816BE94683221EF765C22DBE5
                                                                                                                                                                                                                                                                          Function 051246D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f927a17172f225d8861cefeeaa1fcd66ac6ff2772464b81c231beefefa147d6a
                                                                                                                                                                                                                                                                          • Instruction ID: 3f56d8d78d93b75076bb4915f8688de35c017c86af919dfa0a1c887b09189f00
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f927a17172f225d8861cefeeaa1fcd66ac6ff2772464b81c231beefefa147d6a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE0B674E0430CAFDF54EFE8E44559DBBF5AB88700F0081AAE809E7350EB745A458F81
                                                                                                                                                                                                                                                                          Function 05123938 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ac039c528d17e4cc8373c3b557ade2fb04f973054dfc4217889c24370a8c8b0c
                                                                                                                                                                                                                                                                          • Instruction ID: 8a68978e9a84a602b19238978c650af9371b8f37efebdea7a20917421b6e4dff
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac039c528d17e4cc8373c3b557ade2fb04f973054dfc4217889c24370a8c8b0c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CD05E36A5D3642BC71522B8685969E7F9E8B4A520F0605E6EA08AB243D96888504780
                                                                                                                                                                                                                                                                          Function 05122220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7376f681464066066c88bd042354910179df1cc4a124c8243ae8a2fbf92227f4
                                                                                                                                                                                                                                                                          • Instruction ID: 8a9260db794280b80ba1918b0bca582079225386a23488f8ea4abe64a676d1dc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7376f681464066066c88bd042354910179df1cc4a124c8243ae8a2fbf92227f4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2D022303C532C2AF71473A0340C73A328A6B40610F900028DA0C0C0E2CBBA14F0C991
                                                                                                                                                                                                                                                                          Function 05120C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 701060d469fec517ed6673f7db8c23cfd06b9dff2e25e843a4ccd5ee7e0698b5
                                                                                                                                                                                                                                                                          • Instruction ID: aa120e201e1ffe2df1ea9a5409150b99ac2547ab67f2a732f41286b853e2fe0f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 701060d469fec517ed6673f7db8c23cfd06b9dff2e25e843a4ccd5ee7e0698b5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13D0A7323102286B4214A614EC8D96E7BAAE7882613504437F90683210CF706C248B96
                                                                                                                                                                                                                                                                          Function 05121C29 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: bac312ce210b2da31b78b22ef2d89a4eedf2683febc6e40c7255edd37bd730c9
                                                                                                                                                                                                                                                                          • Instruction ID: cec02dce9a2abce4b25f6d597b42edf5cab3a3426593bfff0e1c8c3ab2c10473
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bac312ce210b2da31b78b22ef2d89a4eedf2683febc6e40c7255edd37bd730c9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CC012A7B9EA3833861510AC6D0128B67488B1A911F960DA2D91CD6203A14A9D2486E6
                                                                                                                                                                                                                                                                          Function 05123D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c17747978805cac3042036fd49ad35dfaca3ae7bc433296f7dba9d5719d26011
                                                                                                                                                                                                                                                                          • Instruction ID: 061f1898480230cd8323ee5cdd738d706da141981abd3efcd5cc094dabb4404d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c17747978805cac3042036fd49ad35dfaca3ae7bc433296f7dba9d5719d26011
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58D01234901308EF8B01EFB4E94156D77B9EB44501B104199D808D7240DF311F009B91
                                                                                                                                                                                                                                                                          Function 051246A0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c7f1b778e9d60e0ad4beef6f73ef6ecd0439e5cd31d389722724631489592f4f
                                                                                                                                                                                                                                                                          • Instruction ID: 0efc288de4f8d4112f541634eda71f99f7dc96162f8f143c773c042cce840959
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7f1b778e9d60e0ad4beef6f73ef6ecd0439e5cd31d389722724631489592f4f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21D012B7C093486FDF35DE64C846718B779EB06A10F8402EAF809A3311E7A6DE5096C2
                                                                                                                                                                                                                                                                          Function 0512E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 65d0ad456d0d8f8de7b0c3f4e344a695dd1bb44f37b5f4c301265b1503dd50ed
                                                                                                                                                                                                                                                                          • Instruction ID: 55a37ea46dcb36f8ea4096dec5b6f102698621db7ead8aba9b1b4fd3bf8b32f5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65d0ad456d0d8f8de7b0c3f4e344a695dd1bb44f37b5f4c301265b1503dd50ed
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E0123064461BDBDB14DFE0C565AFE7B76BF14709F204518E402AA244DF755546DF40
                                                                                                                                                                                                                                                                          Function 05122968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2758e20a9b968596f6c9631a4bd0bdefd4c1f4d96f56163e62d20186bf5e07ee
                                                                                                                                                                                                                                                                          • Instruction ID: ee9a3032eeaa55934b96f5106bea1a4b780f56ef7623214dc5d077f59eaedffb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2758e20a9b968596f6c9631a4bd0bdefd4c1f4d96f56163e62d20186bf5e07ee
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0D05E71901309EFCB10DFB4E94499DBBFAEB44200B2086A6C804D7210EA315F109B82
                                                                                                                                                                                                                                                                          Function 0512A3A8 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: aeb10943ab685f6bdae277ad6eb55f8d2ef67ebdeae3b48fc7b14b67ad4e8d8a
                                                                                                                                                                                                                                                                          • Instruction ID: f721c0c6d1914d936b51c716e64dac6caceb06f6ed3d7943c6617d1fa1dcca9b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aeb10943ab685f6bdae277ad6eb55f8d2ef67ebdeae3b48fc7b14b67ad4e8d8a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9D01236205329DB8A095A55D800855B72AAF8556872880ACD94D0B705CA73EC53CBD0
                                                                                                                                                                                                                                                                          Function 05123C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fbd2979c46159029114c972b9bfc22e0c45e7b5cb54ed68f27dfb5b91aed5644
                                                                                                                                                                                                                                                                          • Instruction ID: 2815754b4b4958ea293048f7f4658ec7c887690aa7821d0f62f31319910eb7db
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbd2979c46159029114c972b9bfc22e0c45e7b5cb54ed68f27dfb5b91aed5644
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AD01230354304DBCB5CEB64E55993577ABAB887043108CADA91FC7341EF36E823CA40
                                                                                                                                                                                                                                                                          Function 05120F50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c16f03c7be39d39ee48525a4e01273d439ff9f8468db90eed7222cc95a7b0133
                                                                                                                                                                                                                                                                          • Instruction ID: df7e3bf0c9fdc3ae810dfec55eb56fb068220ea3a82e1a2f0dc6a6ec1800f67c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c16f03c7be39d39ee48525a4e01273d439ff9f8468db90eed7222cc95a7b0133
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3C08C25BD431C9BDA18AA626B6D33F395EAB80920F804C25780D85000CF2898348645
                                                                                                                                                                                                                                                                          Function 051221E8 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: be3f23c0a4a85477305b91dea2b370b004b1571272e22298ce1720c343b98179
                                                                                                                                                                                                                                                                          • Instruction ID: 9fba261fc30068f329b20b938407f5a43362165a5e0a45e8472cb9caaa210f0b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be3f23c0a4a85477305b91dea2b370b004b1571272e22298ce1720c343b98179
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CC0027545B5855BD7164630C8913243A25DB5E205FED84FCC05549955C66F845BCB10
                                                                                                                                                                                                                                                                          Function 051246B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 789952f5aaf2b5591d9adab7b741607174422aedbc02851f3dd269ea742a17a7
                                                                                                                                                                                                                                                                          • Instruction ID: dab34cf7c44f641145ed34ff4ea3dc3d0cbf95765984d95f115f61359cb4c52b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 789952f5aaf2b5591d9adab7b741607174422aedbc02851f3dd269ea742a17a7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EB0927090530CAF8620DA99980195AB7ACDA4AA10B4001D9F90887320DA72AA1066D2
                                                                                                                                                                                                                                                                          Function 05120440 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b3a8b34b04e3348428ef66a0a3a66ce42e05d35e8e60462f7665c160ecc31d3e
                                                                                                                                                                                                                                                                          • Instruction ID: 19641b5635795705e0b2c6971ab267aaa2ce00b2fc62e55858c49779f87cebc2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3a8b34b04e3348428ef66a0a3a66ce42e05d35e8e60462f7665c160ecc31d3e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CC04C764641009FD7018A64DF067597F71F761315F954636E40080510D73E4913DE10
                                                                                                                                                                                                                                                                          Function 05120E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1571144818.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_5120000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d5f18ced977afa49bdbff9a4e504901754e397a0bfef608d116dfaf284cdfb31
                                                                                                                                                                                                                                                                          • Instruction ID: 992dd66aaa7b6995a157f329656688f7245d5634ad899ccc35ad0f0987b757c7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5f18ced977afa49bdbff9a4e504901754e397a0bfef608d116dfaf284cdfb31
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8B01246688214275208E6318CD866B04B366C4501BC0CC611001900094F1C90140105

                                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                                          Function 044350B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6da86757f68c6aba7310607d5918ed0ffa1eb2fe9273f22545405cb883f57be4
                                                                                                                                                                                                                                                                          • Instruction ID: 0eeabdeba4d5ef7ad1ede6e6a77e613ed071f6c247bdf5b3d84a1eb44bae5add
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6da86757f68c6aba7310607d5918ed0ffa1eb2fe9273f22545405cb883f57be4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32B13070E00219DFDF14CFA9C88579EBBF1AF88715F14852AD815AB394EB74A845CF41
                                                                                                                                                                                                                                                                          Function 044359A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 386bc749e8cd6f2cb05555cc0afb0dd9080b802fcb803fd10b7fe348d037347b
                                                                                                                                                                                                                                                                          • Instruction ID: 7be202945bfc678f63227790df0ffdc7e4964e8277aa406d24136e4cfae1909d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 386bc749e8cd6f2cb05555cc0afb0dd9080b802fcb803fd10b7fe348d037347b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FB16370E00209DFDF14DFA8C88579EBBF1AF88B15F14852AD815EB354EB74A845DB81
                                                                                                                                                                                                                                                                          Function 044350B6 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 080335b2de881c1d10d2f0912292d7ca5784a2d907fd44746fe71db9332027c6
                                                                                                                                                                                                                                                                          • Instruction ID: 3ccd3230e21ce31bbe5ece0f9f98e887e3d12ab0ad1389b2b9226c2bfcfe887c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 080335b2de881c1d10d2f0912292d7ca5784a2d907fd44746fe71db9332027c6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CCB13C70E00219DFDF14CFA9C88579EBBF1AF48B15F14852AD815AB394EB74A845CF41
                                                                                                                                                                                                                                                                          Function 0443599C Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 054b672022f1083841b5a98195d4d9a080154ddccda2564fba4cff3d173b1324
                                                                                                                                                                                                                                                                          • Instruction ID: f17e9df5ca34c327e22e1c27cdf7ef8bb08f2f37ace9646b11d490d14f682fdc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 054b672022f1083841b5a98195d4d9a080154ddccda2564fba4cff3d173b1324
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7B16F70E00209DFDF20DFA8C98579EBBF1AF88B15F14852AD815EB354EB74A845DB81
                                                                                                                                                                                                                                                                          Function 04431080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ca541a5461ebc3823b50869b716065930643b3e5abe1bd42ea1f2d231616e68c
                                                                                                                                                                                                                                                                          • Instruction ID: b5ca44d540de0c2d5614061464c9e9d8beb6610bd21307996f7276400c985a79
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca541a5461ebc3823b50869b716065930643b3e5abe1bd42ea1f2d231616e68c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9971A435B002149FEF189BB5C85476EBBA7EFCCB01F14812AE506AB395DF35AC029751
                                                                                                                                                                                                                                                                          Function 04431630 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 18188b85e816deb49eb71396ecf146e4b77f6b0ab7d72daf28033d31770be052
                                                                                                                                                                                                                                                                          • Instruction ID: ffa4cb625cde68540464865854d680dff8c6e7fe3cd6c87223b3000dbc499563
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18188b85e816deb49eb71396ecf146e4b77f6b0ab7d72daf28033d31770be052
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE51D031B012098FDB14DFB9D8406AEBBB6FFC9B51B14812BE815D7351DB30AD429BA0
                                                                                                                                                                                                                                                                          Function 04430C1C Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8297148a5346ac9edf3a13c13408830b2bb8d0c752f013c51c6e83ad42e09da2
                                                                                                                                                                                                                                                                          • Instruction ID: 05be2ae4d408103868fd3b8a5785cb1ac387c145f314a698c0c38dc24df5f89a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8297148a5346ac9edf3a13c13408830b2bb8d0c752f013c51c6e83ad42e09da2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3051D230B04215AFEB189B68D8547BE7BF6EF8D711F15806AD506E7382CE786C06C791
                                                                                                                                                                                                                                                                          Function 04431D58 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 50e03979c7a68c8e61e692f3738b778271f7cc7cd440974183e114ef21ef9ecd
                                                                                                                                                                                                                                                                          • Instruction ID: 3dbb7acb01de9229811af338bbffbf7c9e18f235bcad4a934b94843fe911bab7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50e03979c7a68c8e61e692f3738b778271f7cc7cd440974183e114ef21ef9ecd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D41D730A04209AFDB04DF65D465BAE7BBADF8D711F10406BD80997392CE39AD46C790
                                                                                                                                                                                                                                                                          Function 04432268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8092a5ab5496517d50f99d04d862609504a8c337045ca7d6c1886eace9354ef5
                                                                                                                                                                                                                                                                          • Instruction ID: 5bbc2bdf0bdbfcfbb2f52938541faa889874ff60dec9841a0c56c40d97c82af9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8092a5ab5496517d50f99d04d862609504a8c337045ca7d6c1886eace9354ef5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE410935B002149FCB54DF69D88099EBBB6FF8CB11B10816AE905EB364DB31EC41CB90
                                                                                                                                                                                                                                                                          Function 04431072 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 731e4fefb6e3d4041c86dcdd7c362117b48ca273309156e016913ea3f641b871
                                                                                                                                                                                                                                                                          • Instruction ID: a65e024ddb75250f009c412fd6a92e85d0234e64ea83dfc6fb33ffef8f042806
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 731e4fefb6e3d4041c86dcdd7c362117b48ca273309156e016913ea3f641b871
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A11E732B0021497EF108A6588446FFBBEADBCC652F04813BD906D7342EE74DD028390
                                                                                                                                                                                                                                                                          Function 04432258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e1874136bb51924f596955642a9ffa79c389e0bd5256b875d5fe14f2b91b7c01
                                                                                                                                                                                                                                                                          • Instruction ID: b2080c70959b732fba010b41b2a9b928c65278f928d0d594a5f34be56bf7bbeb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1874136bb51924f596955642a9ffa79c389e0bd5256b875d5fe14f2b91b7c01
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1211A75A112159FCB44DF69D8809DEBBB1FF8CB10B10C26AE915AB364DB319842CB90
                                                                                                                                                                                                                                                                          Function 04430F20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d51a29867cb16458f62144068fb486bcd2055b9c0b17cab3b59e1cc05a790da2
                                                                                                                                                                                                                                                                          • Instruction ID: 152f83aece839fb554802c2a28b0c17ee146c0f40a647d8a6541c31fe40e0925
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d51a29867cb16458f62144068fb486bcd2055b9c0b17cab3b59e1cc05a790da2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5014926B093501BDF255776289432F6F599FCDE52F1584ABE909CB302ED68DC0683E1
                                                                                                                                                                                                                                                                          Function 04432B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 37506a375fc7d34fde9184a625feb272c84b2534e95c67a99ace4d083414cce3
                                                                                                                                                                                                                                                                          • Instruction ID: e3ab71e7e7e63253ebd839737c650da4ec471374c8cf65dd4e00cb39ef5577c9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37506a375fc7d34fde9184a625feb272c84b2534e95c67a99ace4d083414cce3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5211A335B002144F9B54BF7954102AF7BE2AFC8A5671444BED50ADB380EF74DE029BD2
                                                                                                                                                                                                                                                                          Function 04431958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 91a75e639ade9e0049bd8d49dbd47a3be6e7769c00ca318388128fcc06d77af3
                                                                                                                                                                                                                                                                          • Instruction ID: 94a57538befe34516a175a2e82066d9c8a3962e6e90571a74c22b6a97ac819fe
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91a75e639ade9e0049bd8d49dbd47a3be6e7769c00ca318388128fcc06d77af3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6114F35600115AFDB04DF64D495ABDBFB6EF8C321F269019E80997341CF799C4ACB90
                                                                                                                                                                                                                                                                          Function 04431378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: feb57c0392c29f6ba1094b977b6aaceb62d91f491224513f7bfd025e71d146eb
                                                                                                                                                                                                                                                                          • Instruction ID: e808c0be9f251ec57f88907e658faa7a4e5abbf63f3f4d718c6db2e5f1358031
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: feb57c0392c29f6ba1094b977b6aaceb62d91f491224513f7bfd025e71d146eb
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C21F3749042498FDB20DFAAC481BAEFBF0FF88714F14852AD859A7240CB75A905CFA1
                                                                                                                                                                                                                                                                          Function 04432B08 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7f9ef5361f370047f879857c05224af1049f2cf4e2c505b478df968e73458f14
                                                                                                                                                                                                                                                                          • Instruction ID: a45e054ec810508a732240bfc18432632bc8ff081ab11d817fde2805cecabb9b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f9ef5361f370047f879857c05224af1049f2cf4e2c505b478df968e73458f14
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE01B575B002158F9B54EF7950502EE7BE6AFC8A5671441BAC40ADB780EF38DD438BD1
                                                                                                                                                                                                                                                                          Function 04431E20 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 568b9e81b7c76398b41c1df9a391d107fe11b1f600b633e57a0e3f32a7664588
                                                                                                                                                                                                                                                                          • Instruction ID: 89db9f3274f96fa9f8be403fc8b93a2b19c998079270374e2dc7d891d0dc5de0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 568b9e81b7c76398b41c1df9a391d107fe11b1f600b633e57a0e3f32a7664588
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62116030A00205AFDB04DF65D455EAD7BBAEF8C722F15401AD809A7382CF396C49CB90
                                                                                                                                                                                                                                                                          Function 04431380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5a17be08e3634c657d303d9da971aa82cee6f9dac2f9f704c233bb372c1f1423
                                                                                                                                                                                                                                                                          • Instruction ID: bc2167d15395c82d9cea2889a9bb7445dba7c1f6985f8bbfca53202c7100341f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a17be08e3634c657d303d9da971aa82cee6f9dac2f9f704c233bb372c1f1423
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A611F474D042498FDB20DFAAC481B9EFBF4FF88724F10842AD95967240CB756905CFA5
                                                                                                                                                                                                                                                                          Function 04431440 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2e099bf55a6ceb99e1d2052e148fddae4b33ea47693904513f620dc48396f5c0
                                                                                                                                                                                                                                                                          • Instruction ID: 037e0b1eef00bcf479fadc3e41462ef46734d9e81b6d640663040e7b4ae83c66
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e099bf55a6ceb99e1d2052e148fddae4b33ea47693904513f620dc48396f5c0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C201F5306093476FDB098F3498326367FA9EECA61270509ABC949CF252EA25D808C3D1
                                                                                                                                                                                                                                                                          Function 04431968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9370e2774c2ee40012745478d9d4f196e9783f7bf7f53b3520e136438b0ec0f7
                                                                                                                                                                                                                                                                          • Instruction ID: ca9430ded881bee6aa2e6513071e9980271e48b335dc9b26dfa570a5e11be49e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9370e2774c2ee40012745478d9d4f196e9783f7bf7f53b3520e136438b0ec0f7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF110D35600215AFDB04DF64D458AB97BBAEF8C311F255029E90AA7381CF795D49CB90
                                                                                                                                                                                                                                                                          Function 0443182A Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 41a1bf61caa60c14fad884323490d40025ff120f7ad633eef304ddf3c42c44c5
                                                                                                                                                                                                                                                                          • Instruction ID: 20ddf7ff181eeecb54ab9e86334be307b8352782ff8c7b9d64e627d513bb4507
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41a1bf61caa60c14fad884323490d40025ff120f7ad633eef304ddf3c42c44c5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A101DF31B0011587FB18AA6885517AFBBE6ABCCB01F11822FD405A7781CE756C0287D0
                                                                                                                                                                                                                                                                          Function 04432A68 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1756ef5641ccc780430dd3c7eb96be681a2e4a5e983a8a9d334d142ffc90f644
                                                                                                                                                                                                                                                                          • Instruction ID: 0959ea49fb9175e7674ea5c1b7491ee454fb770c11009448d8a7355eb0676a6d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1756ef5641ccc780430dd3c7eb96be681a2e4a5e983a8a9d334d142ffc90f644
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D017135B50215CFCB04AB74A4016AE3BB1EB88B25B20417BD946DB720DB399D43CB80
                                                                                                                                                                                                                                                                          Function 00D7D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1578924784.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_d7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d87c30da6347d6817bc9c4f49916e3ee6cc021ee658a17714b1dd6e0ec803e58
                                                                                                                                                                                                                                                                          • Instruction ID: 37a3978169a0dc0f5b255f9a4e22e566d0ebac5e21217cde6c5e673c798aae63
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d87c30da6347d6817bc9c4f49916e3ee6cc021ee658a17714b1dd6e0ec803e58
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C301086140E3C49FD7128B258994B52BFB4DF53224F1DC1DBD9888F2A3D2699C49CB72
                                                                                                                                                                                                                                                                          Function 00D7D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1578924784.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_d7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b343a334afe7772469cc918b200c66d3e932933e0d20e220fadcf26feec9e13a
                                                                                                                                                                                                                                                                          • Instruction ID: e2e276d565e14b24f219eb1b98815af6e134b6982ded9a9993710fc0cc97c397
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b343a334afe7772469cc918b200c66d3e932933e0d20e220fadcf26feec9e13a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3701A2714083449FE7204A25CD84B67BFA9EF81725F2CC51AED4C4B282D7799845CBB2
                                                                                                                                                                                                                                                                          Function 04432997 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b760781167f0c9ce7e8809cf0b488a06d546d56809b313079f79c8036f26fad3
                                                                                                                                                                                                                                                                          • Instruction ID: b9ccc7200d327cbc926ce7c45ac637aff8c4c0c373560d5eff9d3559b0920c68
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b760781167f0c9ce7e8809cf0b488a06d546d56809b313079f79c8036f26fad3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F0F9302003004FEF147B70A8455993F15FB85715B00907BE1068BA81DF65A84B5791
                                                                                                                                                                                                                                                                          Function 04431BB0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6b0bb20df8b21642af32ee345cc05d00431a4bc2a1a537afdd3a17e17b9b00da
                                                                                                                                                                                                                                                                          • Instruction ID: 7c041897a2f9629383483d095a4cba1035869da25912f836c908fb25fb54bfac
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b0bb20df8b21642af32ee345cc05d00431a4bc2a1a537afdd3a17e17b9b00da
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69F05236B057502BDB205A2664D076B6F18ABCCE62F1141ABED588B302EA68DC0382E0
                                                                                                                                                                                                                                                                          Function 04432A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 91fb26b1941fc324569eee2de7204c64ad77ff11166bc16fcf4ba0160428eed0
                                                                                                                                                                                                                                                                          • Instruction ID: e49d3319511b02c794ffe66fed427d08ad513c4318134a6c4a79eb64e8fb6c96
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91fb26b1941fc324569eee2de7204c64ad77ff11166bc16fcf4ba0160428eed0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9401FB79A102159FCB04EB78D40556E7BB1AB89B15B10406AE909D7350EA759906DB80
                                                                                                                                                                                                                                                                          Function 04431431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e95dd0e843635c5d523fde95b984e085cedc1a68583f3b9954370c7a748a9188
                                                                                                                                                                                                                                                                          • Instruction ID: 205a81976815668a0b5a07cabbb5b6e4771cc0b349935f75a3da305a86d43618
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e95dd0e843635c5d523fde95b984e085cedc1a68583f3b9954370c7a748a9188
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F0F6306053039FDB08DF34947663A3F99EED9712705596FC94ACF152FA289849C7C0
                                                                                                                                                                                                                                                                          Function 044329A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8f464a4555b034f3ea04269b7860f1b57479b356d78762ecfcd2a6239aac1ef5
                                                                                                                                                                                                                                                                          • Instruction ID: 7f05b821612d71010c304bd161a07e9dcc667cda579e6e2b155af7a2b44d1853
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f464a4555b034f3ea04269b7860f1b57479b356d78762ecfcd2a6239aac1ef5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EF090303003004FEF08BB74E90566A3B5AFF84B15B00946AE10A9B651EF61F848A7E1
                                                                                                                                                                                                                                                                          Function 04432A20 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5288362abffe06f33a997506d78511a44c98cecf1c5700e915f07c39ab2607d5
                                                                                                                                                                                                                                                                          • Instruction ID: 15428284386146bafa21607e734df2cf43e8c97e49cbc7c6344dc52a6932c8ac
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5288362abffe06f33a997506d78511a44c98cecf1c5700e915f07c39ab2607d5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CE0203134A2698FDB1535B134051FF3B9CEE8AB1271750E7D44AC1A91DB0C8D438751
                                                                                                                                                                                                                                                                          Function 04435EB0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7a2a4ee5c4e8338ddfeb99ba3ddf2678b3e5c281bb31ca2a12f8cc8aafe660d0
                                                                                                                                                                                                                                                                          • Instruction ID: 0e359ae3e30d6ea2adc0b37bd3defae189a8b800484c4c7c05e7a887df337090
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a2a4ee5c4e8338ddfeb99ba3ddf2678b3e5c281bb31ca2a12f8cc8aafe660d0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5E0C2712092614FD30197A8A4504D47B79EB4A724B2281E7E50ACB263C5958C038385
                                                                                                                                                                                                                                                                          Function 04432959 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fe672305c407422e5a278eeac47da5655a73c00c433eddc746901df1ecaf09ff
                                                                                                                                                                                                                                                                          • Instruction ID: 8e61c8b27b8089616551a33352e05ec5f34965c292a24547e032bdbc9fe8e2c1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe672305c407422e5a278eeac47da5655a73c00c433eddc746901df1ecaf09ff
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3E020B08453049FCB00CFB0D9511CC7F74DB4920472142E7C845DB512EE340E079B41
                                                                                                                                                                                                                                                                          Function 04432A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4d44408d0ab7cd550f34fa7d0cb750f26eea8bc52da5aae6607ba0632ac4dfca
                                                                                                                                                                                                                                                                          • Instruction ID: 207849d568bc418eb68a0be7f3be389cbf6bd5a0e83c9e244d05ea0feb8cdde2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d44408d0ab7cd550f34fa7d0cb750f26eea8bc52da5aae6607ba0632ac4dfca
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9ED0C23030112E879E2439A674042BF358CAB49B52B011076E40EC2380DF8CDD424794
                                                                                                                                                                                                                                                                          Function 044317F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8ed5a1d68929a6a6149082c7bd5e4ad911585edbd27bec4365ed7f9a46bc6f35
                                                                                                                                                                                                                                                                          • Instruction ID: 27c707c8961ebd15bd7b158e7ed1be08e65730b63fab8d67547d7cb6559ac6fa
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ed5a1d68929a6a6149082c7bd5e4ad911585edbd27bec4365ed7f9a46bc6f35
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CD02E322192100FC309E7A1F88B0D87F64EB5A222304816BE9498B667DD6A0CA3C3C1
                                                                                                                                                                                                                                                                          Function 04430C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b624970513c3f601cc45c3cb17e0107a7fc0f0783d8cbab390ef8d3e9d46ceb2
                                                                                                                                                                                                                                                                          • Instruction ID: d3a5451e6b766282ccd8daac3fb4d0a4ba8d6843d97d391ab0bb698f73c0fe4b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b624970513c3f601cc45c3cb17e0107a7fc0f0783d8cbab390ef8d3e9d46ceb2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31D0A7313112245BE604575CD850A5937ADDB8EB26B40046BF60AC7321C961FC000389
                                                                                                                                                                                                                                                                          Function 04430C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d6715d0dcafec0aabbc88f91a4c1208b0eb8bc31b08477b3a3b92b8ebd1441c7
                                                                                                                                                                                                                                                                          • Instruction ID: 9c1072e2a846a508550b33ffbe88d9b8a01a605bcb938cac56f10bee2df763c0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6715d0dcafec0aabbc88f91a4c1208b0eb8bc31b08477b3a3b92b8ebd1441c7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7D0A7323105186B561C6656DC4696A7F99E788A623504427FA0583710DE607C55939A
                                                                                                                                                                                                                                                                          Function 04430440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e9c79f06666d167dd4d6ddc7ad547553087c8cda3960189e18054e881f5f6b93
                                                                                                                                                                                                                                                                          • Instruction ID: 012e217703f89455bc2355ec012bfb0ee1d40cf3b758cb7bd790de350674ed16
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9c79f06666d167dd4d6ddc7ad547553087c8cda3960189e18054e881f5f6b93
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DD080754493815FD302429409814DE6F70F773912389D797C084C9553D11F5457C233
                                                                                                                                                                                                                                                                          Function 04432968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6eb977ae1189fc9c59a9c94efe7efaff78a8e0b4b7dc3ffac6b0517481ba918c
                                                                                                                                                                                                                                                                          • Instruction ID: 817c614d1a6f0f0532fd22f15ff85e13f4f9d89cc150167be801c04ef17d1894
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eb977ae1189fc9c59a9c94efe7efaff78a8e0b4b7dc3ffac6b0517481ba918c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAD05E70911309DFCB00DFB4E94195DBFF9EB88600B2086A6D804D7210EE315E14AB81
                                                                                                                                                                                                                                                                          Function 04430E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1578113256.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_4430000_rundll32.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 863cc8a06f7fea543493009c4db1cd236ea4228451f0463f5ba7078c8ad8290b
                                                                                                                                                                                                                                                                          • Instruction ID: 8b13323b0010c83b7f1a4e9cbf21a7680f1523e4b801f2edbadd953351bc6450
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 863cc8a06f7fea543493009c4db1cd236ea4228451f0463f5ba7078c8ad8290b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78B0124D60430013F908A6324CD076648866AC4D06BC4EC472001600099D14F0091006

                                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                                          Function 00007FFB4A98C922 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 12e7f659d8491efaff98f4d3c051cf9f06c4ed07bad6c60fe0a8ada1a741e182
                                                                                                                                                                                                                                                                          • Instruction ID: bf372f683e135cd9383a7fd3636a0d7abf56a99138aa447182486a8620609c14
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12e7f659d8491efaff98f4d3c051cf9f06c4ed07bad6c60fe0a8ada1a741e182
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9E1D27091CA4E8FEFA8EF38C8557E977D1FB54310F14426EE84DC7291DA78A8448B81
                                                                                                                                                                                                                                                                          Function 00007FFB4A98184E Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6fd570350754cf2922a07a28763efa8f5fc2bc27e8a314b9e868fc2ce4d23968
                                                                                                                                                                                                                                                                          • Instruction ID: 65a5d2b044aa102eb94a77e191ff2f748c5b85138c9b7ab24384dff2f266bf8e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fd570350754cf2922a07a28763efa8f5fc2bc27e8a314b9e868fc2ce4d23968
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36914A70919A5A8FEB99EF28C5947B8B7B5EF56341F6000FD804DE7292CA385AC4CF10
                                                                                                                                                                                                                                                                          Function 00007FFB4A981E7E Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2abbda7fe27de6b7083cd67b3dcc2f4a503f888a028e2ff5c9a8037c9f1b5b1b
                                                                                                                                                                                                                                                                          • Instruction ID: 927e2ec6f0a053c1c861df1e36a72dc28c75719957ec2a8521c2c1b540b3d7d6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2abbda7fe27de6b7083cd67b3dcc2f4a503f888a028e2ff5c9a8037c9f1b5b1b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C712BB0D196298FEBA5EF28C8857A8F7B5EF55300F6040F9D00DD6292CA35AA81CF50
                                                                                                                                                                                                                                                                          Function 00007FFB4A981E88 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dbadb2955f925fecca9ce26c0c4d336e50af147f442361c5f5be900c5f3a16a3
                                                                                                                                                                                                                                                                          • Instruction ID: 6b9f3251310c5cc1f7ba05d9142077130f5cc46df7ec2f821b7752cfaff8067a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbadb2955f925fecca9ce26c0c4d336e50af147f442361c5f5be900c5f3a16a3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98614A70D196298FEBA5EF28C8857A9F7B5EF55300F6040F9D00DD6282CA35AAC5CF50
                                                                                                                                                                                                                                                                          Function 00007FFB4A981EB6 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b2a981735ecf47c653057dba35752a5c14e7fef54dfe3c04250af37b38b903ea
                                                                                                                                                                                                                                                                          • Instruction ID: ae72f81b206569e2dfa7ef943f907f21207c0ee2da85bd6c616187870895999c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2a981735ecf47c653057dba35752a5c14e7fef54dfe3c04250af37b38b903ea
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A5119B0D196299FEBA5EF28C885BA9F7B4EF15300F6040E9D00DD6252DA35AAC1CF50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9809F8 Relevance: 15.5, Strings: 12, Instructions: 464COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: (7oI$07oI$87oI$@7oI$H7oI$P7oI$X7oI$x6oI$x6oI$x6oI$x6oI$x6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-2716279572
                                                                                                                                                                                                                                                                          • Opcode ID: 985592d0a5be6a0158e702d0d248826608f724613cd42adeefde98f38a948346
                                                                                                                                                                                                                                                                          • Instruction ID: 4c2eea54d473684a5a74d7e44744958354b740cd14a56a7b09b06c774d3dbb36
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 985592d0a5be6a0158e702d0d248826608f724613cd42adeefde98f38a948346
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BF1A0B0A1DA899FEB99EF38C8557A8BBB1EF56300F1400EEC04DD7292CE345985CB51
                                                                                                                                                                                                                                                                          Function 00007FFB4A987627 Relevance: 11.7, Strings: 9, Instructions: 477COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: \oI$(\oI$0\oI$8\oI$@\oI$E$H\oI$P\oI$x6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-1488657949
                                                                                                                                                                                                                                                                          • Opcode ID: 4ba77dafa74c470115d70842b652e1056d4ee7bd23efc298fa054ad54156478d
                                                                                                                                                                                                                                                                          • Instruction ID: 741cf570e5e6f0aa577bf24ee1521559f23de6718433ea1fb3ab8ad2686b7e04
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ba77dafa74c470115d70842b652e1056d4ee7bd23efc298fa054ad54156478d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4981E2A1A1EA8A5FE746AF7CC8556F8BFA1EF46210F5401FAC448DB1D3CD28184AC791
                                                                                                                                                                                                                                                                          Function 00007FFB4A981B2F Relevance: 7.8, Strings: 6, Instructions: 251COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI$x6oI$6oI$6oI$6oI$6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-293230931
                                                                                                                                                                                                                                                                          • Opcode ID: 97673bfc6bf57af7602013c6491099d69e7593a8571c3b328505bd21ff6270c3
                                                                                                                                                                                                                                                                          • Instruction ID: f23664bd073ff73d97f93dfc453a489bee9f10df4bb9c5fe437897da9eac45fb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97673bfc6bf57af7602013c6491099d69e7593a8571c3b328505bd21ff6270c3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9A13C7090962D8FEB69EF28C9857A8B7B1EF5A301F5440E9D04DD7296CA749EC4CF40
                                                                                                                                                                                                                                                                          Function 00007FFB4A980C48 Relevance: 7.2, Strings: 5, Instructions: 920COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI$x6oI$x6oI$x6oI$x6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-833102271
                                                                                                                                                                                                                                                                          • Opcode ID: 25ed404e5a7e0b8ce5e71886d3b666d9df9efff37d1a5c8c8f5322d98a622a22
                                                                                                                                                                                                                                                                          • Instruction ID: e731d5ec9eda6b57b887aa38b9c5bcfa3c351a5925d174d06b372fba43be156b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25ed404e5a7e0b8ce5e71886d3b666d9df9efff37d1a5c8c8f5322d98a622a22
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 778219B0919A1D8FDB99EF28C494BA8B7A1FF59304F6040FDD40ED7296CA35A981CF50
                                                                                                                                                                                                                                                                          Function 00007FFB4A980C89 Relevance: 7.2, Strings: 5, Instructions: 919COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI$x6oI$x6oI$x6oI$x6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-833102271
                                                                                                                                                                                                                                                                          • Opcode ID: 056dc034f6706416765c603bc827a16135a448286be410f4c110274191c649ba
                                                                                                                                                                                                                                                                          • Instruction ID: abf2bf7f4cbc6b55b5690425ef4253006abc837db934b854c4777801ea066aec
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 056dc034f6706416765c603bc827a16135a448286be410f4c110274191c649ba
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 228219B0919A1D8FDB99EF28C494BA8B7A1FF59304F6040EDD40ED7296CA35A981CF50
                                                                                                                                                                                                                                                                          Function 00007FFB4A988265 Relevance: 6.7, Strings: 5, Instructions: 473COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI$x6oI$x6oI$7oI$7oI
                                                                                                                                                                                                                                                                          • API String ID: 0-1583724188
                                                                                                                                                                                                                                                                          • Opcode ID: 78a8a7b90d0a622cb4dca2a334d7effeab8d59822126f2280d7ce35557031151
                                                                                                                                                                                                                                                                          • Instruction ID: a12a827d611d9ea42abb35cbf1a6d1092312eb70ef5f5e5b29f4e02f96be7133
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78a8a7b90d0a622cb4dca2a334d7effeab8d59822126f2280d7ce35557031151
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E02E770909A5D8FDB95EF68C494BA8BBF1FF69341F1440EAD04DE72A2DB349984CB10
                                                                                                                                                                                                                                                                          Function 00007FFB4A98337D Relevance: 4.0, Strings: 3, Instructions: 294COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: h7oI$h7oI$p7oI
                                                                                                                                                                                                                                                                          • API String ID: 0-191184503
                                                                                                                                                                                                                                                                          • Opcode ID: 7a8159caa5c4e071640f034e8357146000b1ae41175c614990bc96cfefb20ec4
                                                                                                                                                                                                                                                                          • Instruction ID: cb950d62c3afeb7220dce28e70b7662cf3bc5c31243ac99a0ec479e56a4c77f6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a8159caa5c4e071640f034e8357146000b1ae41175c614990bc96cfefb20ec4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30A14C70A0DA5D8FEF99EF28C8557A9B7B1FF56300F6051EAC00DD7282CA35A985CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9882F8 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI$x6oI$7oI
                                                                                                                                                                                                                                                                          • API String ID: 0-2900313170
                                                                                                                                                                                                                                                                          • Opcode ID: 20f637643a643248b22a34f5370122d4f07e281a2a95ea3f57a367da6eb9be27
                                                                                                                                                                                                                                                                          • Instruction ID: ffb65e6412d24f0d3a27d45d450eb44988f440497cf6af100ba81c00fd695cc5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20f637643a643248b22a34f5370122d4f07e281a2a95ea3f57a367da6eb9be27
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F3148B0919A4D8FDF99EF68C5507A8BBB5FF5A340F5040AAC00DE7292CE355984CB01
                                                                                                                                                                                                                                                                          Function 00007FFB4A982FFA Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: `7oI$`7oI
                                                                                                                                                                                                                                                                          • API String ID: 0-2750262088
                                                                                                                                                                                                                                                                          • Opcode ID: 79de137824794cc1b400cf2a440c0936ce11e97349303af4c891b0c3cf01ea55
                                                                                                                                                                                                                                                                          • Instruction ID: 0df143c05b45f26539a9868dd66f1951382c6f81f06afed88167d1648ecd51b4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79de137824794cc1b400cf2a440c0936ce11e97349303af4c891b0c3cf01ea55
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32B1947690E1624AE702BFBCF8D19E97B94DF42339B0881B7D5CCC9093FD28544E8695
                                                                                                                                                                                                                                                                          Function 00007FFB4A98D7BE Relevance: 2.8, Strings: 2, Instructions: 318COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: @8oI$H8oI
                                                                                                                                                                                                                                                                          • API String ID: 0-2531720107
                                                                                                                                                                                                                                                                          • Opcode ID: cada3cca327b48969334963fb7591bb6397da45f956adb683feca36c1be7f6a4
                                                                                                                                                                                                                                                                          • Instruction ID: 3c811925a999b1322ab0c1d3ee5574fd61b4b4a72af0f1d1c5f1003f2cad17ca
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cada3cca327b48969334963fb7591bb6397da45f956adb683feca36c1be7f6a4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41B1A370A18A5D8FDF94EF68C895BA8BBF1FF69301F1441AAD00DE7251DB34A981CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A98D1FC Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 8oI$(8oI
                                                                                                                                                                                                                                                                          • API String ID: 0-4054027532
                                                                                                                                                                                                                                                                          • Opcode ID: cb3d02388ea0b5aa6ec9935f99a9a67cb83675540aebf687ebc68fc25713cd7f
                                                                                                                                                                                                                                                                          • Instruction ID: 5e64fb94a5ca8b7f71418238631692d53435bd4528c73ed26ca386264ab27bc9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb3d02388ea0b5aa6ec9935f99a9a67cb83675540aebf687ebc68fc25713cd7f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F41C5B0D19A1DCFDF85EF68C585AACBBB5FF59301F6410A9D409D7292DA38A881CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4A98596D Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: O_^
                                                                                                                                                                                                                                                                          • API String ID: 0-3781818083
                                                                                                                                                                                                                                                                          • Opcode ID: 4944ecdb0d20cc52d10f799358dcba72beca7c1b11cda01023a295cf00de31da
                                                                                                                                                                                                                                                                          • Instruction ID: 60002cfa7b92def17e08d39c06b9caf72163f5e733c1edf0b382d398e26eb4c8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4944ecdb0d20cc52d10f799358dcba72beca7c1b11cda01023a295cf00de31da
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCC17D76A1D6824FE756BF7CD4521E87BE0DF96321B5804FFC588CB193E818544E8391
                                                                                                                                                                                                                                                                          Function 00007FFB4A987A45 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x6oI
                                                                                                                                                                                                                                                                          • API String ID: 0-1112293393
                                                                                                                                                                                                                                                                          • Opcode ID: fe46cf87db7dfd1a9376a550c206f37aee5ca3d3e4e376e9a495c22a8474006d
                                                                                                                                                                                                                                                                          • Instruction ID: b18b5bb33ce0b5989b2bfd3053db5d485301a2d935fbf1b59ed72def96b0899a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe46cf87db7dfd1a9376a550c206f37aee5ca3d3e4e376e9a495c22a8474006d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D341B47091DA8DDFEF45EF68C441AACBBF1FF1A300F5400AAD408DB292CA385885CB50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9849F1 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: x7oI
                                                                                                                                                                                                                                                                          • API String ID: 0-1133390374
                                                                                                                                                                                                                                                                          • Opcode ID: 4ffb6aa953727334752bf9e30aef3ab854ae6a77bf40860164ebe2ba89f3fab2
                                                                                                                                                                                                                                                                          • Instruction ID: 035be55e75e2150f3f027e256c6141f0c15bacbd2ef2503aedce634a9f3f1e66
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ffb6aa953727334752bf9e30aef3ab854ae6a77bf40860164ebe2ba89f3fab2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6631327060964ECFDB85EF68C451EA9B7E2FF96300FA545B8D40CCB256CE35A846CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4A983B7D Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: h\oI
                                                                                                                                                                                                                                                                          • API String ID: 0-1461016952
                                                                                                                                                                                                                                                                          • Opcode ID: 2e4e48611a9acae85d7362f40cac174d60f4c51576993c614b986e377c1d34a9
                                                                                                                                                                                                                                                                          • Instruction ID: 5c060e6754e641ec25f848147248f0667301a227479221105957ddf562a0c43c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e4e48611a9acae85d7362f40cac174d60f4c51576993c614b986e377c1d34a9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A011A9B1E1CA498FEB01EFB8C4556FABBF5EF46300F5141B9D409D7292CA2864888B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A98B679 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c8cb693d1b2114280a70d1cf40fc65dbd5b485e82282a002fd51c4a8ae0b720f
                                                                                                                                                                                                                                                                          • Instruction ID: c723b475c6b8385ab43502332ab7385facb11c4a311d0964b4ebd3f2e4f22fa0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8cb693d1b2114280a70d1cf40fc65dbd5b485e82282a002fd51c4a8ae0b720f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63D1B17091CA898FEFA9EF28C8557E977D1FF59310F14426EE84DC7291CB34A8458B82
                                                                                                                                                                                                                                                                          Function 00007FFB4AA7061D Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661403329.00007FFB4AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA70000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4aa70000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b57dae8c5136e4cd7b2024a071f2705da35a4ab39443288416e2ac3865937c0a
                                                                                                                                                                                                                                                                          • Instruction ID: 0f9b37c100b78da22b70ef361af2f6277760c759269311016b4e03f41cb760b7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b57dae8c5136e4cd7b2024a071f2705da35a4ab39443288416e2ac3865937c0a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DB1D370B0CA454FE799AE6CD4556757BD1EF9A710B2402FAD08EC72A3CD18EC428B92
                                                                                                                                                                                                                                                                          Function 00007FFB4A98673B Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dfe582b3da3194da69689967a14e967f7c8ad85f6bc73e493e66d9c1aaaae50c
                                                                                                                                                                                                                                                                          • Instruction ID: ddd2c84c3fbb2d6d32a23b4d9bc16a1e262576a51bae31d70c023e6a6607ba43
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfe582b3da3194da69689967a14e967f7c8ad85f6bc73e493e66d9c1aaaae50c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DD149A181D68A4FEB55EF38C9556A4BBE4EF16300F1805FDD58DCF1D3DA28A809C781
                                                                                                                                                                                                                                                                          Function 00007FFB4A98C536 Relevance: .3, Instructions: 336COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7e280abb2806bd9cf55724b318a0132acbf4ead1034b87268d4221931c783f19
                                                                                                                                                                                                                                                                          • Instruction ID: c6714070b74f677bf329956ee42c8ee5010013ccd28d566f8a7cb6aff5f26500
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e280abb2806bd9cf55724b318a0132acbf4ead1034b87268d4221931c783f19
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56B1C37051CA4D8FEF69EF28C8557E97BE1EF55310F14426EE84DC7292CB3898458B82
                                                                                                                                                                                                                                                                          Function 00007FFB4AA70119 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661403329.00007FFB4AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA70000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4aa70000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 94514a636737a7ff07d53634a3f5f7e418f212343110f30d72214d909f67a92e
                                                                                                                                                                                                                                                                          • Instruction ID: 25fbfdfa7d5b6addd36d52058f761a690b48af81f644b1b0fbb3f9dfe5db52bb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94514a636737a7ff07d53634a3f5f7e418f212343110f30d72214d909f67a92e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9351A47171CA084FD758EF2CD899675B7E2FB99710B1102BAE48AC3256DE24FC538781
                                                                                                                                                                                                                                                                          Function 00007FFB4A98946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 42d456bbbb20b9775ed3f73366aae875384034c5f09ff948a0228c819d924591
                                                                                                                                                                                                                                                                          • Instruction ID: c1e4782446d82bac0ba85a5dd3864cde52b822fe81a622615e46be6344bdb0e6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42d456bbbb20b9775ed3f73366aae875384034c5f09ff948a0228c819d924591
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0519071918A0C8FDF69DF68D845BE9BBF1FB59310F1082AED40DD3252DE34A9858B81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9863FB Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3e427dd28dc1be9ab81619e6dc5a501971312bfcc1b93582bc592728de77a894
                                                                                                                                                                                                                                                                          • Instruction ID: f21ed46247f2b7135fd46500ac4846a5ecd6588219495c4160ecce24ce8c4a49
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e427dd28dc1be9ab81619e6dc5a501971312bfcc1b93582bc592728de77a894
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 774107B561CA8A4FDB85EF7CC9505E9BBA0FF9A300F5045BAE548CB192DE24AC05C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A98E6D9 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f393165cfd0664349a7939bf27f0728447f6010f2ae11191148b9f6a1df22902
                                                                                                                                                                                                                                                                          • Instruction ID: 83f829483cea98068f6f17a3f0c5d4c66ba1d7113270e7207003262ad96ac0e9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f393165cfd0664349a7939bf27f0728447f6010f2ae11191148b9f6a1df22902
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A841E67091851E8FDF49EFA8D5A1AFEB7B5FF59300F2404A9E00AE7291CB35A841CB54
                                                                                                                                                                                                                                                                          Function 00007FFB4A987C51 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b9c9cbb6562ec67788189ae4c745534a07e5e641d083760f0ed2c92e51967c7d
                                                                                                                                                                                                                                                                          • Instruction ID: d4abd26970d68c20d85f5dc158fbb5400e80ac2c69e6cffceca76c2b3f8a7360
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9c9cbb6562ec67788189ae4c745534a07e5e641d083760f0ed2c92e51967c7d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4931947190DA8DDFEB42EF6CC841AA9BBF1EF56340F5441E6D408DB292CA389984CB51
                                                                                                                                                                                                                                                                          Function 00007FFB4AA70541 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661403329.00007FFB4AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA70000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4aa70000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6bade70e525919a5bda9eab9f439ff870855e4a17b74c34bc18a4042030b9588
                                                                                                                                                                                                                                                                          • Instruction ID: 0324f174bb00d26a605ae5b90fbe3efd238360cdbd1a34ee661b1aa4dbb6d1c8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bade70e525919a5bda9eab9f439ff870855e4a17b74c34bc18a4042030b9588
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC2104A270DE4A0FE795AEBC884A5767BD1EF9831071441BED48DC32A6DC18EC068390
                                                                                                                                                                                                                                                                          Function 00007FFB4A9847CD Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 42e94613aa2c673d9cdfd4d3d161ce3aa1ee9655bbf69cda459cb83a6f9dbc49
                                                                                                                                                                                                                                                                          • Instruction ID: ecc790618e23a977318e91e7a9fc86ade81f6722eaea3c4f3fc0cd681fb24401
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42e94613aa2c673d9cdfd4d3d161ce3aa1ee9655bbf69cda459cb83a6f9dbc49
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC31F8E181D6C64BE752AFB8C9641E9FFA4FF92204F2840FED098CB0D3D9159905C381
                                                                                                                                                                                                                                                                          Function 00007FFB4A984EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f259e4251f4962a070579372819aa198b6201a480894537e868a39a5b6303a78
                                                                                                                                                                                                                                                                          • Instruction ID: cae51141a7822eeec33964fd785abf80055f7124bf51e688e50351eacfb2f84d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f259e4251f4962a070579372819aa198b6201a480894537e868a39a5b6303a78
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0421F7B2A0CA9A0FD702EF68D8615D67FA0FFC5320B0445BBE448CB293C9649809C791
                                                                                                                                                                                                                                                                          Function 00007FFB4A987DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c9e0ad40a4a77581a1c867dba5cac1edc5c26e70da231ad5673a1e6874866aaf
                                                                                                                                                                                                                                                                          • Instruction ID: e274eb0b42e7922dc36e983895f861f15d2e1e0ca0705b665396d32b227b3a45
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9e0ad40a4a77581a1c867dba5cac1edc5c26e70da231ad5673a1e6874866aaf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE211B70D19A5D9FEF81EFA8C4496EDBBF1FF59301F54007AE408E7252DA3498458B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A98483D Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8c9ac0b0d3ed658c0b6ee6a99a264215ec52bfad49aa596b8e34664afd7dcb4c
                                                                                                                                                                                                                                                                          • Instruction ID: 90fc2ea2860f29733c4d4ded3a141612badaea5819005c1a283095d3dcb93c57
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c9ac0b0d3ed658c0b6ee6a99a264215ec52bfad49aa596b8e34664afd7dcb4c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E011A17181D68A4BDB11FF7CE9D11E9BB90EF45308F0445B6E85CCA193ED38985AC781
                                                                                                                                                                                                                                                                          Function 00007FFB4A98D132 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e2d9e88e9ec6873c32c89f1e1a91de2b5c1592543b7fd514471f59111d7a748b
                                                                                                                                                                                                                                                                          • Instruction ID: 3b2a39f8a9a1bee220dba77795cdd915e2d2f3e4b29c614d61f625d1db5fd568
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d9e88e9ec6873c32c89f1e1a91de2b5c1592543b7fd514471f59111d7a748b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11C570A1891DDFDF84EFA8D484AECBBF1FF69351F6400A9E009E7251CA35A881CB10
                                                                                                                                                                                                                                                                          Function 00007FFB4A986E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1661029543.00007FFB4A980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A980000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffb4a980000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                          • Instruction ID: d12ff37c9767bc93a5a1ae64b355eceb2b1eafb57d2122f5ea69890b2f2607e0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3A00242ADE46E0198443CAEF9460D8F248C785171BD529B6EE1CDC14A988E19D61289

                                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                                          Function 00007FFB4ABC4BFA Relevance: 2.1, Strings: 1, Instructions: 845COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 79_L
                                                                                                                                                                                                                                                                          • API String ID: 0-625708347
                                                                                                                                                                                                                                                                          • Opcode ID: 1071255349f4dcc840ddfe6a8d138c9b643cb8a8871ee7246f3c7ed86083f9d7
                                                                                                                                                                                                                                                                          • Instruction ID: 66afd1d851af3b1d962a24eb5b20bae65cb0ad9246c25b12d6b6bd14e4817f1f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1071255349f4dcc840ddfe6a8d138c9b643cb8a8871ee7246f3c7ed86083f9d7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62221AA2B1CD5F0BEBA5BE7C9469AB963C1EF9835071451BED84DC3686DD28EC0643C0
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C900E Relevance: 2.0, Strings: 1, Instructions: 721COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: |P_H
                                                                                                                                                                                                                                                                          • API String ID: 0-691365553
                                                                                                                                                                                                                                                                          • Opcode ID: 9e30da2e8d91378b8445a100597e1714f5a6488e88cfe3f3df5793438733e98e
                                                                                                                                                                                                                                                                          • Instruction ID: db9d559ef242fee20b0335120100a83d1418ed001b199ed4e0227454896c8209
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e30da2e8d91378b8445a100597e1714f5a6488e88cfe3f3df5793438733e98e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2142F3B180DBC64FE3A69F38C5556A53BE5EF96310F1901FDC48DCB1E3EA28680A8751
                                                                                                                                                                                                                                                                          Function 00007FFB4ABCE2FA Relevance: 1.4, Instructions: 1370COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 153aaf7374732b0dd4424e8b14bf28de4ca88917429decd564837080beaec5b3
                                                                                                                                                                                                                                                                          • Instruction ID: 2f7b8456948e9a223830aa1a6645722783e060c2c5096500dc226b49a9b90d00
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 153aaf7374732b0dd4424e8b14bf28de4ca88917429decd564837080beaec5b3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E927D7161CA4A8FEB95EF3CC498BA577D2EF99300F1441FAD04EC72A2DE28AC458741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BCFB8 Relevance: .8, Instructions: 750COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: dbebe29c333f70a5b627dc880a671deadedc6677ccf5e520323fce71b1e130a1
                                                                                                                                                                                                                                                                          • Instruction ID: f2ffc270188121781a988dd305b806323b392904c31ba16a2f0f203c8df4b843
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbebe29c333f70a5b627dc880a671deadedc6677ccf5e520323fce71b1e130a1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F232E770A1DB854FD35AEF78C4916A6BBE1FF96300F1441BED48AC7193DE28A846C781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C1CE0 Relevance: .6, Instructions: 572COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e8aa6856a9b3276aa0da0beadba3be33de54fe4be89bf91a90ffdf9478f5a0c1
                                                                                                                                                                                                                                                                          • Instruction ID: f7f44c470b1e27c5bb3808bcf5ad2e996e5a8357b52aa3c63aa0c11c36885ac8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8aa6856a9b3276aa0da0beadba3be33de54fe4be89bf91a90ffdf9478f5a0c1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D112B4B0A1CB854FD359EF28C591676BBE1FF99300F14457DE58AC7292DA34E842C782
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B0D42 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c016b06c15f83d103559c55d89cce46cdadf67ceed33a75713429bc544262c77
                                                                                                                                                                                                                                                                          • Instruction ID: 1f8f315b09a935d109c585ac671d3154a32d9d5ee01b985a4b89bdc1c69c2477
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c016b06c15f83d103559c55d89cce46cdadf67ceed33a75713429bc544262c77
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34B139B090965A8FEB99EF24C8947A9B7A5FF59300F2041FDD00EDB2D5CA396985CB10
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CB5E7 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 516bb2116bbdf9be0dca35669b69d4111a8a1c9ba92fb8a9350f1d46c01eab1a
                                                                                                                                                                                                                                                                          • Instruction ID: 343b3dd5fdd1eeb8c0895e904b2bf4f142d1f9ec668eafaadc355a3a663196eb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 516bb2116bbdf9be0dca35669b69d4111a8a1c9ba92fb8a9350f1d46c01eab1a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96B139B1D08A198FDB69EF68D8957A8B7F1FF58300F1001E9D04DE7292DB356A85CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CB620 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 55a74d460232ba317ce5cc2572846c7ab3cc92f1359bdbc7059e130140881f50
                                                                                                                                                                                                                                                                          • Instruction ID: 25160f429fc15d1a87f9e8d9be1c971ecc03a742f5f53eb720a981c4d2dca495
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55a74d460232ba317ce5cc2572846c7ab3cc92f1359bdbc7059e130140881f50
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4081D771D09A198FDBA8EF68C855BA9B7F5FF58301F1001A9D04DE7292DB34AA85CF40
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD6765 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: cc610e159d283fc96670487263fdd4c0c629e19de13178097bd5b40e24d87273
                                                                                                                                                                                                                                                                          • Instruction ID: 9dee81b92f535477618b623633bf78412cf4110c086bf4ffeb207ef92896e83a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc610e159d283fc96670487263fdd4c0c629e19de13178097bd5b40e24d87273
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6951B1B0C196298EDB95EF68C8597EDBBB5FF18301F5001EAD009E3291DB785A84CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4E6B Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: bd5d6ac6c91d7158fd0b2f8ef5f2446c09e3310671c06f9f47f3dfc314e75b34
                                                                                                                                                                                                                                                                          • Instruction ID: b6abf693642cbaa0f267ab05ebac3cbe4b142319a78b54374fbfc6031b41c2ba
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd5d6ac6c91d7158fd0b2f8ef5f2446c09e3310671c06f9f47f3dfc314e75b34
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 694188B1D0E68A8FE749EF74C8552EDBBE1BF4A210F5400B9C009E72E2DA395844CB50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3B18 Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                          • Opcode ID: 92e1938c46f5e8e49d6c48693e8715d10e552772eadb248023553f16de344cfe
                                                                                                                                                                                                                                                                          • Instruction ID: e0f41085171a4cef1b60191d3b24a981247fc1e6b436b9f615e13676e932561e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92e1938c46f5e8e49d6c48693e8715d10e552772eadb248023553f16de344cfe
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AD10170A0CF464BD329EF2CD4855B6B3E4EF95310B2446BED48AC719BDA35F8428B81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C44A8 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                          • Opcode ID: c1cd17bf25001cc6c124e14b0878690473c731dda7773e26835c0960d568f5c8
                                                                                                                                                                                                                                                                          • Instruction ID: c04233e3a9e2e2ac15158af3012cdad29f761c8751741c8fe41724182b605f70
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1cd17bf25001cc6c124e14b0878690473c731dda7773e26835c0960d568f5c8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BC10F70A1CF8A4FD768EF28C444575B7E5FF99300B2446BDD48AC729ACA35F8428B81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C549D Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: K_^
                                                                                                                                                                                                                                                                          • API String ID: 0-3865075263
                                                                                                                                                                                                                                                                          • Opcode ID: ec476688aa8b075a9fd0861d109ce6415892b08bce5d0d577f46d29f6c144a7a
                                                                                                                                                                                                                                                                          • Instruction ID: d935abf5739ac039a8d6faf0c49d621e904fe6c77d2ea2baee98576312e1b46d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec476688aa8b075a9fd0861d109ce6415892b08bce5d0d577f46d29f6c144a7a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03A15CA260EF9A0FF756BE7CE9911E47BD0EF5627471802F7D089CA093EC0998478391
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD0AF3 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 7+_^
                                                                                                                                                                                                                                                                          • API String ID: 0-3377498989
                                                                                                                                                                                                                                                                          • Opcode ID: 5a359347e2c2b2fa2f397d47d70a7f9059aee20575a9a66182c46f3956b41eb2
                                                                                                                                                                                                                                                                          • Instruction ID: 98c4bfb8e046716de44f074cf1c221926b41af4595b77540960b4231496924bc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a359347e2c2b2fa2f397d47d70a7f9059aee20575a9a66182c46f3956b41eb2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AC1B97680E7935FE312AFBCE4D54E47FA0EF0231872942F7C4898A453EE29745B8685
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C03C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                          • Opcode ID: b09963baeb3205043b037bfcce3fd0f94926d9a7289bd580d095c0023fde49bb
                                                                                                                                                                                                                                                                          • Instruction ID: 1a7d0a4d85b712a5464e3f9a4e4e352c50633993b13b3b781e061386e91cedf1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b09963baeb3205043b037bfcce3fd0f94926d9a7289bd580d095c0023fde49bb
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DB1BDB061CF458BE769EF28D581575B3E1FF98300B2446BDD48AC3696DA35F8438B81
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD0BA0 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 7+_^
                                                                                                                                                                                                                                                                          • API String ID: 0-3377498989
                                                                                                                                                                                                                                                                          • Opcode ID: ecad66df27445e3caaee952ed19bc3dc9120bdf594c3611aaa3a060c3fed42ea
                                                                                                                                                                                                                                                                          • Instruction ID: 1f36f4a966b87f22dcca46e972941645be975a63a326ead9a2b94c4ab4e28b87
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecad66df27445e3caaee952ed19bc3dc9120bdf594c3611aaa3a060c3fed42ea
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EB1D8B680DB975FE712EFBCE4D54E47BA0EF0131872942B6C449CB453EE25785A8780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA0A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: 'R_L
                                                                                                                                                                                                                                                                          • API String ID: 0-835780197
                                                                                                                                                                                                                                                                          • Opcode ID: 6681f036c053adc7dd72f6bcca179fcb9e461c063fcd30003c4f0aafe60eb917
                                                                                                                                                                                                                                                                          • Instruction ID: 9c786aa6444d7606936e7625830fad71ef60fbff5c3ec878de5ca33e1a9cb73e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6681f036c053adc7dd72f6bcca179fcb9e461c063fcd30003c4f0aafe60eb917
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D161B2A1B1CE4A0FE798EE3CD4196B977D2FF99250B5501BEE44EC3293DD289C014385
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BD0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: ^L_^
                                                                                                                                                                                                                                                                          • API String ID: 0-3269914177
                                                                                                                                                                                                                                                                          • Opcode ID: 110da1c9003304919ad86ad7802397ea72845e4565bb3ff6ffebc22f0bea573c
                                                                                                                                                                                                                                                                          • Instruction ID: e0dc3e64298361690f0a99e3a19356a6038045f17a2ff8a51251b1db1bb65980
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 110da1c9003304919ad86ad7802397ea72845e4565bb3ff6ffebc22f0bea573c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03517672A0D7924FD343ABBCE4961D93BE4DF4223570981F7D489CE0A3F918684AC796
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B813C Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                                                          • API String ID: 0-3081909835
                                                                                                                                                                                                                                                                          • Opcode ID: 06df0a27d1891ced1759adaa7f29b6651f7610a3e73119d826c0552856c7dcc9
                                                                                                                                                                                                                                                                          • Instruction ID: cfa82fa996387eeba1c949100cf2b2c277165bf2bc358b19f380a0b9428c7277
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06df0a27d1891ced1759adaa7f29b6651f7610a3e73119d826c0552856c7dcc9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 366116B0C096198FEB55EF68C9997EDBBB4BF19311F6041B9D009E72D2DB382985CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C9634 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: yb_H
                                                                                                                                                                                                                                                                          • API String ID: 0-956606333
                                                                                                                                                                                                                                                                          • Opcode ID: bf05a822c8f1cb686d39eff580812ae7edf931265dc4bf8ffaab54aa5692a96a
                                                                                                                                                                                                                                                                          • Instruction ID: 7e3aa8a0e73997b42b8587962d9dfd8e54307b5d3da02e9dac0dcad56317d52b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf05a822c8f1cb686d39eff580812ae7edf931265dc4bf8ffaab54aa5692a96a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E741C4E1A0EA954FE7A5EF38C59D6A97BE1EF95310F1805FDD08CCB1E2DA246806C341
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BCFF7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID: tL_^
                                                                                                                                                                                                                                                                          • API String ID: 0-225026331
                                                                                                                                                                                                                                                                          • Opcode ID: 2da579bb946467925b6dbdfea49eb5eaa4a371628b5f902de745cc8fed4e35ab
                                                                                                                                                                                                                                                                          • Instruction ID: 8ebcc9f6fee65b01e265f059059601597cdf26769c496a3911e1772d87865ce2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2da579bb946467925b6dbdfea49eb5eaa4a371628b5f902de745cc8fed4e35ab
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A312AB790D5564BE701BF7CE8855FA3BD4EF42324B1841B7D448CE1E3EE28644B8685
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC02FA Relevance: 1.2, Instructions: 1157COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d5c3d62c1e7e93edebc0af1711695d4ee2b5e8e158cef570d6d92aa8290a9530
                                                                                                                                                                                                                                                                          • Instruction ID: f02911ff9f4cdba8d375c10f8f0316a81fd19f0130e980f7ce62498a6194cd86
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5c3d62c1e7e93edebc0af1711695d4ee2b5e8e158cef570d6d92aa8290a9530
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF8203B191CB864FE795EF78C485AA5BBE0FF58300F1445BDE489C76A3DE28E8428741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9ECA80 Relevance: .7, Instructions: 717COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6d92b6dc347161a373ea5e7ac4f067f0ac39ec9fe4bf492edd380f78ac7e0f26
                                                                                                                                                                                                                                                                          • Instruction ID: 77d5d5ee94356f282f943fe6222d7394150f7881fd828272f1aa88f640682e22
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d92b6dc347161a373ea5e7ac4f067f0ac39ec9fe4bf492edd380f78ac7e0f26
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC42F8B091E7824FE366EB78C4566B97BE1EF46310F5404FED4CACB293ED2858468742
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BCFC8 Relevance: .7, Instructions: 689COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 84a23b563a920d5ce189d83c9f1eccb3e3722564532c43b783c93ce241b55a72
                                                                                                                                                                                                                                                                          • Instruction ID: 0f49f0bfa58bf54ac34f0af675588ea8e56bfbd1d75baa5dd46d4eebfc8d85f7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84a23b563a920d5ce189d83c9f1eccb3e3722564532c43b783c93ce241b55a72
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4722F4B0A1CB854FE759EE2CC59513A77E6FF95300F6481BDE4CAC7592DA28EC028742
                                                                                                                                                                                                                                                                          Function 00007FFB4ABCB2AE Relevance: .6, Instructions: 646COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 31bd97bc4991fe84f621a52998bdd30d87fab883b7f735273cf7bf4d0880ad04
                                                                                                                                                                                                                                                                          • Instruction ID: 33fc7eb30bcf5b0131ed327bc017529aeb25ba28d6c34135053f0479d73d1213
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31bd97bc4991fe84f621a52998bdd30d87fab883b7f735273cf7bf4d0880ad04
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C22D4B1A1CA4B4FE799EF78C495AB9B7E1FF64300B5041BDC44AC7596DE28E8428780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BAB08 Relevance: .6, Instructions: 586COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3b91288064df6837c012961a569289605fbb5f303ef4e446801e82ce0c7865e6
                                                                                                                                                                                                                                                                          • Instruction ID: 128add27100a7b5d82d74de9a010b021956c7f64f524e20da54ce40b10b6492a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b91288064df6837c012961a569289605fbb5f303ef4e446801e82ce0c7865e6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1F11461A1CA4A0FE799EE7CC4596B937D5FFA9300B1441FAD44DC72E3DE18AC068381
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC4ED0 Relevance: .6, Instructions: 569COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3f22f63f0a44210cc8e86b096094c3cec167afb032ea518059aaab95f42de457
                                                                                                                                                                                                                                                                          • Instruction ID: ce92f6d3f55b50fe38c0af0a2c2153b4072b5717da4d4ae100208a82f76132b2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f22f63f0a44210cc8e86b096094c3cec167afb032ea518059aaab95f42de457
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C02F6B290DB831FE715AFBCD5999E57BD0EF4531471882FED088C7597ED28A8098284
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BDE20 Relevance: .5, Instructions: 533COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 293ad551e036d8756b18f5587332d20e75fb48cdc14583bb723e01d66414861c
                                                                                                                                                                                                                                                                          • Instruction ID: d441cc3ed38f09d6591ac4f13dc7c9adb8b8c88cd23ff4b92a2df5adff0b70bc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 293ad551e036d8756b18f5587332d20e75fb48cdc14583bb723e01d66414861c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E128B1A1CA864FE349EF7CC4555797BE5FF99310B1441BEE48AC71D3DD28A8028782
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA7FA Relevance: .5, Instructions: 496COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 86abbbd7cb0bec1c88afa81db94416f4db2b82453ee52a91befb1f9946fa6aa0
                                                                                                                                                                                                                                                                          • Instruction ID: 55f6083363a97cebd4820da56dfa5d971262c5ec4e988efbc816a8a58e70930f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86abbbd7cb0bec1c88afa81db94416f4db2b82453ee52a91befb1f9946fa6aa0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62E10BE2A0EA921BE3127EFCE9950FC7F95EF4137475841FBD088CA5D3A819580B52D2
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C71ED Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 26bf6298c581aaeaa63e4c68220e8fd8f0b552b53c110a67bd2ab69f0cc84d56
                                                                                                                                                                                                                                                                          • Instruction ID: a7a2a100817914bd9cd85eebac2c9fcf09ec6cd3c007899a0e6971e85e41d937
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26bf6298c581aaeaa63e4c68220e8fd8f0b552b53c110a67bd2ab69f0cc84d56
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51F1B3F1A1CF8A4FE758EF38C4556A9B7D2FF95300F5445BDE489C3292DE28A8428742
                                                                                                                                                                                                                                                                          Function 00007FFB4ABCC865 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 247f1406be5ab503a59119332433bab9d7bead46eb73e71045e1df5e35190967
                                                                                                                                                                                                                                                                          • Instruction ID: a554641d71aebd1670d4246d9f6c25b4ac9182a382f3ddbb67259033e43c0811
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 247f1406be5ab503a59119332433bab9d7bead46eb73e71045e1df5e35190967
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EE12C75A0CA4D8FDF85EF28C495EA977E1FFA9304F2401A9E44DD7296CA35E841CB80
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BD9E9 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1cfe2d214b1334b11527aaef9f7f7edc2f7af73792964492f525fb69fd20ed53
                                                                                                                                                                                                                                                                          • Instruction ID: 161acaffe79c5bd1ba75a276d1041d9da8bb30162058d6033b93e769b0dbfb2f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1cfe2d214b1334b11527aaef9f7f7edc2f7af73792964492f525fb69fd20ed53
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77C1267160CB494FDB54EF28D845AA5B7E1FFA5310F1802BED48DC7292DE26E846C782
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C33B8 Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f61c03f7b69dd0945aae0bbc35d36531ac4b9db9a0f978b7624512038492e722
                                                                                                                                                                                                                                                                          • Instruction ID: ae7144492455e490de7c64c3ceb46b69dc37788a673e8e6cc32a51293fa2d586
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f61c03f7b69dd0945aae0bbc35d36531ac4b9db9a0f978b7624512038492e722
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34C119B290DEC60FE752AFBCD8551F97FA1EF56314B1841F7D088CA1A3E928590AC381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C33D7 Relevance: .4, Instructions: 376COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: caceced3757face01124d20d105e32a245d0d7588dbe202afacad022e81cc0bb
                                                                                                                                                                                                                                                                          • Instruction ID: 2cf351a208773bac49cf79b1dfbb79d617b5b2196fda0b374d3324b263284cf9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: caceced3757face01124d20d105e32a245d0d7588dbe202afacad022e81cc0bb
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CC1FBB290DEC60FE752AFBCD8551F97FA1EF56314B1841F7D088CA1A3E928590AC381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BB900 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4e79c6f56aebb4573553ee604b3354288553e2cddcb561195f01137911b5913b
                                                                                                                                                                                                                                                                          • Instruction ID: d2828eed0ce1f437f8cd45ba3c60b96f35fd503def44740d4a62f694b92eda77
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e79c6f56aebb4573553ee604b3354288553e2cddcb561195f01137911b5913b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1A11470A0DA4A0FEB99EF3CD8446B577E5EF89310F1445FAC48DCB193DA29A886C741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B86DA Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e3fb38b252b0e2389996fcddebde2c9a57d2c47b4d428ed937536b4739a3c228
                                                                                                                                                                                                                                                                          • Instruction ID: 2d930855d4b0535d7963d4ee8433242f52f54cd7914feab505cc95cc3e7e52b2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3fb38b252b0e2389996fcddebde2c9a57d2c47b4d428ed937536b4739a3c228
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BC1EDB190D68A8FEBA5AE64C8457E8BBE4FF4A310F1441FAD08DD71D2CA381846CB51
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BCCC0 Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 07cdd3b4e4b7111e433dda2d81c0d278b8f41e0971c146e69dbd2e67f2e92b81
                                                                                                                                                                                                                                                                          • Instruction ID: 2f2dc5b38ff40a4b30fd0f55b9f47d256155a77ca040cd4c318edf36de0e60c3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07cdd3b4e4b7111e433dda2d81c0d278b8f41e0971c146e69dbd2e67f2e92b81
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2B181B1A18A4A8FE795EFB8D8557E9BBE1FF98300F1441B9D40DD32C2DE2868458741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3BF8 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: cd215bcc05cc9e787b72171c38540a81c93ee845086b35134ba35643321868f6
                                                                                                                                                                                                                                                                          • Instruction ID: 9721cb792d7e5ada411055bd01b4ba16130318036c10e257216d59474ce2d283
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd215bcc05cc9e787b72171c38540a81c93ee845086b35134ba35643321868f6
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CA1E27060CE4A8FEB99EF2CC485A7177E5EF59310B2445BDD08EC72A6D925F846C780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BDE79 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 53a7f71c8149b751aa4408ccb7ecf53985a245c195ba561bdce7dbb805b3ee35
                                                                                                                                                                                                                                                                          • Instruction ID: 5858766f763cc322f7ad0ea8f411ff41b5b68be211f3e48068068e726c0fc7a5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53a7f71c8149b751aa4408ccb7ecf53985a245c195ba561bdce7dbb805b3ee35
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 709106A1A1CA860FE349EE7CD8455757BE5FFA9310B1441BEE489C71E3ED18EC428782
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC9E9D Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 16acbc0f8a2acc7a0923c63fb56d7b8fd8233a98104f0781ed318ad62444c844
                                                                                                                                                                                                                                                                          • Instruction ID: 69988bff46c0401d7e6b550b99e52147642d13532f06f53804cec6a013d55063
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16acbc0f8a2acc7a0923c63fb56d7b8fd8233a98104f0781ed318ad62444c844
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EA125B590C6834FE319AF38C9559B87BD6EF82310F6441FEC48ACB5D7DD28688A8341
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C5B70 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b5ab6793c08a2a4fd31caa36e40e498a9877ea8fcc0b1ccc2c04d782fdcd93e5
                                                                                                                                                                                                                                                                          • Instruction ID: 4f68fb035fa63609b9b2ab4a2f5a8ae93fc53ef1c76f6aea02d802ec299429d8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5ab6793c08a2a4fd31caa36e40e498a9877ea8fcc0b1ccc2c04d782fdcd93e5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE711293B9DE1A4FF3E6AD6CD86D27427C5EBAC291B3001B6D48DC32D6EC189C064291
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BE970 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d1fe00fd0eea8eeb252438bb4315ccd376dcc1a514c41bcb2dd3f71dd9d740c5
                                                                                                                                                                                                                                                                          • Instruction ID: 67b1830ac738463209cab5de55c7f076eff42c169fbb25ce209368342b3319e0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1fe00fd0eea8eeb252438bb4315ccd376dcc1a514c41bcb2dd3f71dd9d740c5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA810671B1CD1A0FE694FF2CD8997B927C1EF98360B1901BAE84EC7292DE199C424381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4894 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9042d0fb90c885a9bcccc763c34f6bcaa1f60a67caac7ac0b7f76ec69ac421a2
                                                                                                                                                                                                                                                                          • Instruction ID: 7afea046b2b1b10478970fb05619afd193ae75ec165aa3f253d8022f1bf4ebb4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9042d0fb90c885a9bcccc763c34f6bcaa1f60a67caac7ac0b7f76ec69ac421a2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25911671A1CF4A4FD768EE2CD4895B577E4FF95310B2446BDD48AC3196DE28F8428780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3C20 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 478d49b47c8b1f44ad714e447f9c03f4eaf663f24b4ba0a0129513e975388419
                                                                                                                                                                                                                                                                          • Instruction ID: 1bffe0da1efa9fa110a9ad434051a81d5e26d2d0cc0555dcc685ab0927697f1c
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 478d49b47c8b1f44ad714e447f9c03f4eaf663f24b4ba0a0129513e975388419
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE91237061CF4A4FE369EE28D4895B57BE0EF95710F2006BED48AC3296DE28F8428741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BD469 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 001200dceb59350f6690ecb0933ac9f7a0c9f4a686c3234e078589418fdbdd99
                                                                                                                                                                                                                                                                          • Instruction ID: f305819c4523ec9f14f51cab1d014d4b789aff669ec62fad5df2b1ceb7e2dd99
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 001200dceb59350f6690ecb0933ac9f7a0c9f4a686c3234e078589418fdbdd99
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F29152B1A18A4A8FEB45EFB8D8557ECBBE1FF99300F1441B9D40DD3282DE2868458741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B73E1 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 93f8e6a4c862622dc124f503b695859c3611baf860b62a422936bffda5c51b2d
                                                                                                                                                                                                                                                                          • Instruction ID: 109a0668a48ebec52b661b91fc5401dd24414a69279a97a208b5ee5b4b063873
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93f8e6a4c862622dc124f503b695859c3611baf860b62a422936bffda5c51b2d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7B1F6B0D09A1D8FDB95EF68C494AEDBBF1FF59301F1041A9D00DE7291CA39A985CB50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9EE7A0 Relevance: .3, Instructions: 288COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 56d940458446a7a7658d2f48978bc90fc60ba22e921c2cdb1ac7f8f86d29588a
                                                                                                                                                                                                                                                                          • Instruction ID: 57e84278946f50c534dfa3afa1382f7b10885ed03f86d6c1793ef9979c944ec4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56d940458446a7a7658d2f48978bc90fc60ba22e921c2cdb1ac7f8f86d29588a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A81F371A0CA0A9FEB59EF28D8416B577E5FF99310B2405BDD04EC7293DA35B842C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B7DC8 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 372bbf99761380a84a794bf511bf6e3df41a6993f54f593bfca9849779e7ef57
                                                                                                                                                                                                                                                                          • Instruction ID: d70826cf15fcb43c4467b49ec3e86a8cfac18fd8a5ee0cf7f13b69b6c9d8fc16
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 372bbf99761380a84a794bf511bf6e3df41a6993f54f593bfca9849779e7ef57
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35917FB1D1DA8E8FEB98EF68C9456EDB7A1FF45340F1006B9E049D72C2DE38A8018740
                                                                                                                                                                                                                                                                          Function 00007FFB4ABCAFE6 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 42359f94521d753e1bc9d40fabdc4e7e6626f84767a9f5f1a56e395a56a98807
                                                                                                                                                                                                                                                                          • Instruction ID: 8f4a6ff54ecb0c80f950d30e3f0c3112d5456738091e4859bd142552844b8dd0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42359f94521d753e1bc9d40fabdc4e7e6626f84767a9f5f1a56e395a56a98807
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98A1B3B1A0DA4A4FEB55EF78C465AADB7E2EF65310F5400FDC449C7296DE28AC42C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA015 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2247f8666a270a1a3508e888d0e30784eab23db792614ae3fa4ae3992cc77a7f
                                                                                                                                                                                                                                                                          • Instruction ID: c293f145d4322f7372b9cac344c26710a7bfd4f67c7e541766c3f4a75b5f1aa0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2247f8666a270a1a3508e888d0e30784eab23db792614ae3fa4ae3992cc77a7f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B58105F291CE8A5FE394EF38C8597A6B7D1FF95350F1405B9D089C3192DE2CA8868781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4BF0 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1320f824baea8fde1a9d4ed961d388dd233cb07d5cb51465e896885e507e5ad2
                                                                                                                                                                                                                                                                          • Instruction ID: b1d56b42f65e2809f8f884f29797fcb543e231cdd7cc9fdd670590a07ece4827
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1320f824baea8fde1a9d4ed961d388dd233cb07d5cb51465e896885e507e5ad2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6671F8A2B0CD490FE7A5EF3CC4587B537D1EF98250B1901FAD44DC7296DE18AC468381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4610 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c53480310349953bf21d350e9f0f31abb9ab6eba84dafb2443a8705980221a64
                                                                                                                                                                                                                                                                          • Instruction ID: 98dd5f2e14d449852d8fc9f93c1ba2487ded98d4aabe4cd0390ba8b43e0bcfa2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c53480310349953bf21d350e9f0f31abb9ab6eba84dafb2443a8705980221a64
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4691B5B1909A8E8FDB85EF78C855AEDBBF1FF55300F1401BAD409D72A6DA349846C740
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC03FA Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 86ee7d6e46c918ad1aaca7e85e077b14b363392b3cf7e0fea8dad24816410bc3
                                                                                                                                                                                                                                                                          • Instruction ID: 9f70bba003b66fc9d9b96a5b23e0252e3b3e940be878170687bf0de190318ded
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86ee7d6e46c918ad1aaca7e85e077b14b363392b3cf7e0fea8dad24816410bc3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5181C3B191CB8A4FE755EF7CC494AE6BBE0EF58310F1405BED489C72A3DE24A8468741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C9C20 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 21d1d7f633c1ade251d5ce241562687eee8c5f7ad426e5092ce50cbbbde40ee3
                                                                                                                                                                                                                                                                          • Instruction ID: ab2ed203867440aab9ef8c23e39131326e0fb7ceaac08dfb2f49b910734f01f9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21d1d7f633c1ade251d5ce241562687eee8c5f7ad426e5092ce50cbbbde40ee3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D71D1B1A1CE464FE7A9AF38C4982757BD5FF59310B2404FEE08EC3692DE28AC418741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4053 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 39b3c6f57f5c6d12748d522bb3c9cc3aac326e6ecd3aac73a61cb57b812d3ea4
                                                                                                                                                                                                                                                                          • Instruction ID: d071c4d8cac89ee25046a88b2c818ce9dcbec09922713349000042a939f55b37
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39b3c6f57f5c6d12748d522bb3c9cc3aac326e6ecd3aac73a61cb57b812d3ea4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B81F1B5C0D65D4FEB54EF74C9852E8BBA4FF92310F6402BAC14DD71E2DA38684A9B40
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC9BF8 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: da5cd0ce67c918ce915616e808ca683e1652d6c00f3ebd34d27f52dfb4d8b3bd
                                                                                                                                                                                                                                                                          • Instruction ID: b9d462a595a622b4bf0a8b4848407fadd46b00761f73c2c9742dad3651c0b4c9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da5cd0ce67c918ce915616e808ca683e1652d6c00f3ebd34d27f52dfb4d8b3bd
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B712470D08A5D8FDB98DF58C885BE9BBB1FB59300F1082AAD44DE3251DB74A985CF41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B7135 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1ce012dab10dfbc568ff9d2247cd4a45338b9ef376bf070ddbdac5def454d7e9
                                                                                                                                                                                                                                                                          • Instruction ID: c55233ca93a68787efc5d883fccf65f03f42d87b0bef9c52e04010325b861d47
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce012dab10dfbc568ff9d2247cd4a45338b9ef376bf070ddbdac5def454d7e9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 295104A2B0D91A1BE755BEBCE485AF937D4EF84361B1842B6E00CC7193ED24584A83A1
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC5438 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1a4632c4827d33bf30bd83d752126d956bd4e11535b7f4c2b8aca14fd1f005f3
                                                                                                                                                                                                                                                                          • Instruction ID: 0c275891aa30c7d9250570db0eec7a71fa2cc6200c9d02838779cce9aa9f62a9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a4632c4827d33bf30bd83d752126d956bd4e11535b7f4c2b8aca14fd1f005f3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7161F3B1A5CD0B4BEBA9AE7CC595AB573C2FF9874075481BDD44EC3587DD28E8018280
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BE9FA Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f0be63e2b2ce281bffdb4e4851b8542307f62e2fde87f111a8b759022cef2e0c
                                                                                                                                                                                                                                                                          • Instruction ID: fcf85bfdf78087faea81c8722866dbb6b991eb01bb513ab7f79778148e670cf3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0be63e2b2ce281bffdb4e4851b8542307f62e2fde87f111a8b759022cef2e0c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE517B62B0DA8A1FF365AE7CE8591B57BD4EF9922072401FBD08ECB193DC189C468381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B8D32 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 53e376e3fd8e3940bc80f57d7fe381e0f549882625d482cc0e785982cc4b1446
                                                                                                                                                                                                                                                                          • Instruction ID: 31a35bada81e61ff5111c33aae9c4f9b7d25a71b8372eb62766a8e92aba4ebcd
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53e376e3fd8e3940bc80f57d7fe381e0f549882625d482cc0e785982cc4b1446
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F719AB090D65D9FDB85EFB8C855AE9BBF1FF5A310F1001EAD049E7292CA399841CB50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BD76E Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ad60b7b4baa10cea47a09f5ee43ae22bc15582eea5f7f07287d58f97498db30f
                                                                                                                                                                                                                                                                          • Instruction ID: cfbce14481cf02c31133a0bb4d10390223fd636e42256ccf4c76aea427be4b60
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad60b7b4baa10cea47a09f5ee43ae22bc15582eea5f7f07287d58f97498db30f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A95148B290CA8A4FE359AE78D8561F97BD4FF46360B1801FAD04AC71D3DD281C468791
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4667 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ee979def1f17c2b677edf91b19ab9e1912499f980c4d3bd78437cba0fefc6749
                                                                                                                                                                                                                                                                          • Instruction ID: 00bea1df25681b1d5d44032b0bce9bb521bdaab3d884fbe321378c1551e06ac2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee979def1f17c2b677edf91b19ab9e1912499f980c4d3bd78437cba0fefc6749
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9981BBB0909A8E8FDB85EFB8C845AEDBBF1FF59310F1441B9D409D72A6DA349846C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B8A55 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 32c6b0de86ca3f8ca4f6ded232ef242253e4d68de0745398745b6317af2653a4
                                                                                                                                                                                                                                                                          • Instruction ID: 605407f3b745f9872e2584ccff1af36d84b91f03fbd1658ef8e209cd9158b6a3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32c6b0de86ca3f8ca4f6ded232ef242253e4d68de0745398745b6317af2653a4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E671EEB180E68D9FEB56AFB4D8162E9BBB4FF0A310F1441BAD049DB5D2CA3C1846C751
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BE648 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 73a48a2d0d0009d7cef331ad3e5ed1a124911f30f7ae7918bbbdb1d140b4f08e
                                                                                                                                                                                                                                                                          • Instruction ID: 3798cf3cf33bb092d1a74f26454b88b0e560142a9e742ce5c4974d1030683b62
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73a48a2d0d0009d7cef331ad3e5ed1a124911f30f7ae7918bbbdb1d140b4f08e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0951157161CE0A5FE758EF2CD88497577E4FF99314B2406B9D44EC3296DA29F8828780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4C41 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b403836d9491d1cf8697f033d84010baef87e30d81d2765ad258ddcc44fe3870
                                                                                                                                                                                                                                                                          • Instruction ID: a2605cc37562794c9f0b1345afad337002fc78735eb47b3ff5b61c41c081f517
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b403836d9491d1cf8697f033d84010baef87e30d81d2765ad258ddcc44fe3870
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C661F4B190EA8D8FE796EF78C8092A97BE1FF95310F5401FAD04DDB2A2DA295C45C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BC65D Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 223f68fe39e8cc49dc2b8794eb790aab7108b1c04bae4e819824be87ae7b202f
                                                                                                                                                                                                                                                                          • Instruction ID: f3b8593ae487905836b94f3b2754f0654e11330b8e1d202e5b6318f93a4a6ab0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 223f68fe39e8cc49dc2b8794eb790aab7108b1c04bae4e819824be87ae7b202f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01518D7171C9098FEAA8EE3CD555B7933D4FF59311B2000FAE48EC72A2DD14AC428791
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA860 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8162c5c5bac55312984e55ffb92866199153808f4de031448b44dc76d1a8c85c
                                                                                                                                                                                                                                                                          • Instruction ID: 833dd8f9175f464b8f1b6077c998cb9c159c6bf76ac1a4e428c1d75e1cbd56f3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8162c5c5bac55312984e55ffb92866199153808f4de031448b44dc76d1a8c85c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 275194E290E9970BF3627EFCE9550F86B84FF51364B9881F7D08CC99D7AC1D28465281
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA868 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 716a287495428378bf849b0cf65dd11e88b25f6bb2479d8a5f7ca62174488b1f
                                                                                                                                                                                                                                                                          • Instruction ID: 7998c62f13c1a5d471ee32f37fba2e82d24b82e506b78fb2b8b62981878cab0f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 716a287495428378bf849b0cf65dd11e88b25f6bb2479d8a5f7ca62174488b1f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 795184A290EA970BF3627EFCE5550F86B94FF51324B9881F7D08CC99D7AC1D28465281
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC7FF6 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7585867622540318f008e0be0ddd0a63cbd883c9be12648993391da2f28982e4
                                                                                                                                                                                                                                                                          • Instruction ID: 461de7d0822e3fb74ec4bc65e66e742f1bf48f8868ab8c4a04b3d1cdc54665ac
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7585867622540318f008e0be0ddd0a63cbd883c9be12648993391da2f28982e4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84615174D4892D8FDBA8EF18C898BADB7B5FB68301F1041EA904DE3661CB755A808F44
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BADFA Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d018a5acd4ffcada996ba0662b3ad1d0c0a5dff6065eba148ca4a6eeb68c5d12
                                                                                                                                                                                                                                                                          • Instruction ID: ebe030b48a740110046fcafab59fafc0792902e2be53c67d6d312d06486e977d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d018a5acd4ffcada996ba0662b3ad1d0c0a5dff6065eba148ca4a6eeb68c5d12
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C54126A2B1CA4A4FE795EE7CD8542B577D1FFD8210B9441BAD48DC76C2ED18DC028381
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC0FF4 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5500d5040d84bd58a4a896991f642730886b8a649f33d1a0a6ab5af77e07f3ae
                                                                                                                                                                                                                                                                          • Instruction ID: cd5aebb685ba2a387011b3eace231a41d46fe275d019c3f7852decc6c08a1dc0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5500d5040d84bd58a4a896991f642730886b8a649f33d1a0a6ab5af77e07f3ae
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4414775A1DF494FEB68EE2C940697977E2FF98710B2442BEE489C3651DE24FC428381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B45FF Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 718390f44e38189f04c56b50fc2509516063a497095f171d658896ffba705e09
                                                                                                                                                                                                                                                                          • Instruction ID: 14daf1f2f5133aa9e26f4cded907d0718f358f07d29160cccf728d9e127fdceb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 718390f44e38189f04c56b50fc2509516063a497095f171d658896ffba705e09
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A51517050EB469FEB99EF78C065A6673E1FF55305B6448ADD04ACB5D2CA3AEC42CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3C30 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3c703f2d19d06f0d37081add57a1dc02ebc442cee065b7192bd5b2c45b1a934c
                                                                                                                                                                                                                                                                          • Instruction ID: 458d91b16a241b6c9d7324f4ffcc81158a7f59721eeb82f02c930b043c69c164
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c703f2d19d06f0d37081add57a1dc02ebc442cee065b7192bd5b2c45b1a934c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA41E67061CE0A5FD795EF28C988A6177E4FF98300B6406BDD44DC7296DA35F882C781
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC4C25 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 30abb70f211cb8551f5c11b22603d61e0f95f0787696e15768ee55e5820b1a92
                                                                                                                                                                                                                                                                          • Instruction ID: 9524720e2c95c49d59fe3423e4797dcc2c07b132261eba9ce4b5de619c0c7dc9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30abb70f211cb8551f5c11b22603d61e0f95f0787696e15768ee55e5820b1a92
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD418B71A0DF460FE758AE2C981A67277E1EF95210B1401BFD489C369BDD28FC468381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CAFC5 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4128db81e19f129cf512e2bf10a86ce728e758d463e71dd80b625be31f0bda9d
                                                                                                                                                                                                                                                                          • Instruction ID: 597a227fcc172cbc7c2c4234de353b45380ec1b00c00a41f5ebf6aa82dc1a079
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4128db81e19f129cf512e2bf10a86ce728e758d463e71dd80b625be31f0bda9d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA512970D09A1D8FDB54EFA8C4946EDBBB1FF19300F6040AAD409E7292DB396985CB14
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BF5BD Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b7491285ee01bd98688ad5fab262569eadb97c681f2a8eae6391b7074b25049e
                                                                                                                                                                                                                                                                          • Instruction ID: 68498fc3d122390c647c5786b434f061a2fd8620f8ce1b9f9610d21c7d6c4c5f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7491285ee01bd98688ad5fab262569eadb97c681f2a8eae6391b7074b25049e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 695172B1D18A5A8BE7A4EFA8C8D97E9B7E5FB58300F1001F5D44DD32D2DE359D818A40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B6451 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: acb98ea5efcf7f19a16a5f6e4641a5cee619de959379281d699cde01cda2d7b4
                                                                                                                                                                                                                                                                          • Instruction ID: 4ce57fa0a561a89d91422a4d226f53391896b738bb4d4e7bf53faaf628011b51
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acb98ea5efcf7f19a16a5f6e4641a5cee619de959379281d699cde01cda2d7b4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D451E6B0D0DA598FDB99EF68C5947ACB7B5FF19300F6440ADC00EE7292DA786885CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C59D3 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 542792f2e27b5a909c18746d37a226559edade578b5bde6f38015cf3022452b8
                                                                                                                                                                                                                                                                          • Instruction ID: 06ae2b12617dd79e3d1a9d4e78fe2da6f3d8d3d918db5c1ae419f1db974d434e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 542792f2e27b5a909c18746d37a226559edade578b5bde6f38015cf3022452b8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E41E8A290EBC51FF386BBBCD8665A57FE0EF4A22475940FAD089CB0D3E81C5C468351
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B2F45 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 06af712598e1a27836cfb1d55ee83bcb47091c66e75dfd5f376c63b04f776eed
                                                                                                                                                                                                                                                                          • Instruction ID: 59769906453a1ec29e4a3ed4bb9343f6ca073bf2d20ad8f820a5a083d9fb5b5b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06af712598e1a27836cfb1d55ee83bcb47091c66e75dfd5f376c63b04f776eed
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6151E7B0909A1D9FDF94EF68C455AEDBBF5FF59301F500169D40DE3292DA38A841CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BE150 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 11c306b849b25b842fdff6dc94cd34a5b24176edb1d8494a2052d1120cc5b374
                                                                                                                                                                                                                                                                          • Instruction ID: c9913a5eed7992076e775b839bf135769a3f26510dfe3a288433b338f1ea9afc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11c306b849b25b842fdff6dc94cd34a5b24176edb1d8494a2052d1120cc5b374
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 104105B1A18A464FE389FF7CC4992B977D6FF98350B1441B9D44AC72E3ED2C58028741
                                                                                                                                                                                                                                                                          Function 00007FFB4AB3018D Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2757572715.00007FFB4AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB30000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4ab30000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 49ec3cfada0caf25e6c8c1abd62cb83f77de5a094d902b0857d7fad3c0a2c705
                                                                                                                                                                                                                                                                          • Instruction ID: bc2d600d682e8aa30e680ce98fe29b85047f520c8d7707b2baba4666252ad82a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49ec3cfada0caf25e6c8c1abd62cb83f77de5a094d902b0857d7fad3c0a2c705
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2041F3A680DBC94FE756AF388C291A57FF0EF56200B1E40EAD488CB4D3DA195C46C341
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3628 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fc451e5d293a98e39fcb5881729944f175d3b3df560a289a3ad9abb546ab05f8
                                                                                                                                                                                                                                                                          • Instruction ID: d454449613fe07b2ce40d41776e1136e4e7541e4297088166c039db9f490082a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc451e5d293a98e39fcb5881729944f175d3b3df560a289a3ad9abb546ab05f8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B41A2B190CA4E4FEF95EFA8C8956E9BBE1FF58300F1401BAD408D7292DE359845C780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B2F38 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ad385c577da6ad34eccea5087f0c18243dfcb9794b4830c5d0e51e6a530a7673
                                                                                                                                                                                                                                                                          • Instruction ID: 84e81a2384789a5e204f6c698bc5bfd217f280fde02abef825dbe50a15c8756f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad385c577da6ad34eccea5087f0c18243dfcb9794b4830c5d0e51e6a530a7673
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E34107B0909A1D9FDB94EF68D455AEEBBB1EF59304F10016AD40DE3292DA38A841CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA010 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 78b147124189e35a2a618a01143effe4e66b386adff7843a31b5d00befb74d8b
                                                                                                                                                                                                                                                                          • Instruction ID: ece64f5e5e37ea73248b492ebd2a0618f811649dc1955805233dd6b311d75d9e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78b147124189e35a2a618a01143effe4e66b386adff7843a31b5d00befb74d8b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C419D7061CE868FEBA5EF3CC494EB277E1EF59300B1445A9D08AC76A6DE29F845C740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C0220 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: db52333f28850875044311e45656688fbd9d5806bb946ad23383964d9277bc24
                                                                                                                                                                                                                                                                          • Instruction ID: 24f13428e018034d4c3aaf734553012044f1e19c5d89b09b38e53877909be1c4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db52333f28850875044311e45656688fbd9d5806bb946ad23383964d9277bc24
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64414171A1CE5A4FDB98FF28D4556BA37D1FFA8310F20017AE40ED7295DE34A9028781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BEA2D Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: aae1c7e79a43c7526a6e7fdcbf2c876079dda3c772205a50d22d3b4080142a18
                                                                                                                                                                                                                                                                          • Instruction ID: 4de33f0629ffaeb14379a9b0558bc2956b072ec735a6c910916495e46c5fb0fc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aae1c7e79a43c7526a6e7fdcbf2c876079dda3c772205a50d22d3b4080142a18
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E4118B2A0865B4BE755FFBCE8965E877A8FF41325F1401B7D04CCA193ED3528868B81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C2CA8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a3751f0c4bcf5c89132b15a5ca2a40d162b32ea8ba9bf18f40c36af9def80131
                                                                                                                                                                                                                                                                          • Instruction ID: ddae311515d4e7f30b901dc50218b3902019fa65022cc4decdd1396d63cb5998
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3751f0c4bcf5c89132b15a5ca2a40d162b32ea8ba9bf18f40c36af9def80131
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D3109A2B5CD560FF394BE3CD8192B937D4EB98351F1805BBE88DC6291EE5C9D424381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B3CAD Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e26c628703fa26086ea5362353d1f8d78e43427499e3966dfacae18a4edcc267
                                                                                                                                                                                                                                                                          • Instruction ID: d16216670f5956bbf3e041dc85de237e87af440f3bbcefb4f096a065dcbc9d26
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e26c628703fa26086ea5362353d1f8d78e43427499e3966dfacae18a4edcc267
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F4107B1D1D6198BEB44EFA8D5856FDBBF5FF48300F60017AE44AE7682CE3868458B40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5771 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 41b3c2806d09b60da7756e041f25edc0218e0ed84125b588c0f7f29135ebd76f
                                                                                                                                                                                                                                                                          • Instruction ID: dcb7bdba3eb8778c0c054b72845325d42a808ada2f7274362da3257805d19f42
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41b3c2806d09b60da7756e041f25edc0218e0ed84125b588c0f7f29135ebd76f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F41B1B190DA4C8FDB95EF78D4152EDBBB1FF4A310F6000BAD00AE7292CA795841CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC8C3C Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: cc6981b5db3bc8101922e2bb03980a4fb6d8ad1eb9a4d1dfec9dc4cc3aada811
                                                                                                                                                                                                                                                                          • Instruction ID: 39b9b5a06de0385d04917263ed2fae6d92f3c06cdba8547a436153c924e557b5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc6981b5db3bc8101922e2bb03980a4fb6d8ad1eb9a4d1dfec9dc4cc3aada811
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7941FFB690E7D94FE7169FB4CD659A9BFB4EF12300F1800EED488CB593CA285809C352
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C5138 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 15e7bf4716a409f780791efa20ba2527762403ab6291a413189f93d88b670dce
                                                                                                                                                                                                                                                                          • Instruction ID: 96c259a1854151227b51d5fd60348271462fb2ec9639cceaf2f95b7162b55a29
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15e7bf4716a409f780791efa20ba2527762403ab6291a413189f93d88b670dce
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B418C7061CE468FDB95EF3CC484E62B7E1EF59300B1445A9D08AC76A6DE24E845CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B35C7 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 693b2ed3967881365f394accbbfabeada0f9f0e55d9b627379717b7258b5be0c
                                                                                                                                                                                                                                                                          • Instruction ID: e5d9e6b87e0bc4078049f56e783a139f0d2282abfe3b87305302faba6a9970e3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 693b2ed3967881365f394accbbfabeada0f9f0e55d9b627379717b7258b5be0c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5441D6B190E6899FE796EF78C85A1A9BBE0FF47260B4401FEC049CB5E2DA6C1C45C711
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBF69 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9b071dc1898d7dee84c3167b40d6b34d2eee73a97bb49b668ac730a8cd8e53fa
                                                                                                                                                                                                                                                                          • Instruction ID: feefbbe08b0f40b62d37e0b4088efc0101e742a118bcbbf816d3c2b41eba70b4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b071dc1898d7dee84c3167b40d6b34d2eee73a97bb49b668ac730a8cd8e53fa
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE31D461A0D7C60FD756AF78C8641B43BF1FF9A24071940EBC489CB1D3DE1C980A8352
                                                                                                                                                                                                                                                                          Function 00007FFB4ABCCF15 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b1c36e58edf59121fd1dbbfadd8d3e2fc57a2cbbb826003243665f53023a27d2
                                                                                                                                                                                                                                                                          • Instruction ID: 2d9c1c90ff27a4994922e40ce44a05157dce42b3546dc63d704f79257071eac0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1c36e58edf59121fd1dbbfadd8d3e2fc57a2cbbb826003243665f53023a27d2
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A31D460A0CB580FE759AF2CD855B7A77D5EF9A710F1442EFE449C3293DA14AC4583C2
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD5EA0 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 07cf23da4ea792b69610ffbb08c4675171abec31be234370a80c5d5729bbbea1
                                                                                                                                                                                                                                                                          • Instruction ID: 95c49bfe968e1512354b8a786ff0f081312f330124deb70d9c97605aaade5fc6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07cf23da4ea792b69610ffbb08c4675171abec31be234370a80c5d5729bbbea1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6131487150DA460FE759FF7CC8496B67BD4EF89314B1482FED48ACB592D928AC42C390
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CA252 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6e7a5f93c860825ee36e95339a719ee0941d95ef5c32e8d7ee51bf1d8ed9814d
                                                                                                                                                                                                                                                                          • Instruction ID: 983a86ca2f9d3aacc9c8584daf1926b6009acde1ccb92d28b57d2ee87c9b798b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e7a5f93c860825ee36e95339a719ee0941d95ef5c32e8d7ee51bf1d8ed9814d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4931667160DB884FE7A9AE2CD8556753BE5EF66220F0801EAE089CB5E2ED15EC028341
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C0258 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9bf2e2504cf6494650ab07b84f0dd1cd8bc6560a97db2801e0e0c1ed960cdbc8
                                                                                                                                                                                                                                                                          • Instruction ID: 5a8c818e0d9490b6fb6cd06ea384e0c5baa33f8270b4e59227fa8767e0451ec8
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9bf2e2504cf6494650ab07b84f0dd1cd8bc6560a97db2801e0e0c1ed960cdbc8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79312AB1B1CE554FE790ED2CD4846B5B7C1EFA9324F1405BBD48CC32A2CA58E980C385
                                                                                                                                                                                                                                                                          Function 00007FFB4A9D5B50 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 26f464d948fa6bd6dfb4bc1fd6699bea4d21b39db2cf1fc0389030132c767b49
                                                                                                                                                                                                                                                                          • Instruction ID: 0fd812ae0fb7c096f80cc2d6f5487b2a0c56d15125c3597d08a49216a9eb9f93
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26f464d948fa6bd6dfb4bc1fd6699bea4d21b39db2cf1fc0389030132c767b49
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C531E260A1DB890FD796BF38C8586A57FE5EF4A300B1940FBD08ACB1D3DD18684AC361
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4018 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: fbec0210de8467924d4afb3788d20c9d44ce2789bd7c7a71d18339a94af2a8bf
                                                                                                                                                                                                                                                                          • Instruction ID: 49d0fad53be42c4a759ed715f3e0d122e42ac451c497ec1ded3bdfb1c294ce90
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbec0210de8467924d4afb3788d20c9d44ce2789bd7c7a71d18339a94af2a8bf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B21B4A2B5DD4E0FEBDCED2CD4653B967CAEB9C251B6041BAD44DC3285DD15EC064380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C6E60 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4fe69c19b3389b635be9d32070886a802a54e764f285f0473b14e4877e62c69c
                                                                                                                                                                                                                                                                          • Instruction ID: 6740e1f841c4304d484238f069388a94f422ada2b200d46ca20457fb6dabc3ea
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fe69c19b3389b635be9d32070886a802a54e764f285f0473b14e4877e62c69c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9231D6B190CF864FD745EF3CC859665BBD1EF95310F4405BAE089C71E2DE28E9458742
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBB15 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a2eebd825ff94a73202dacc000c160d036195c464a5ba16a4890ad7e7df9c26f
                                                                                                                                                                                                                                                                          • Instruction ID: 591b039fce8f8a18674f00ffc3d7a5516264335ecebafbcdcd52f9fef99de39a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2eebd825ff94a73202dacc000c160d036195c464a5ba16a4890ad7e7df9c26f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE31E3E290DACA5FE385AFB8C81A6E87BE4FF21350F5405BAD049D70D3EE2C19458B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C2788 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c599a0a35bd8a68cef546683700cb9eedbe6cedaea6c588d7abec105b4e1cc13
                                                                                                                                                                                                                                                                          • Instruction ID: 926ff50d7240016eea05d99a1c8f4e569565d9e6f30a58447a611c6fd3df2492
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c599a0a35bd8a68cef546683700cb9eedbe6cedaea6c588d7abec105b4e1cc13
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E03195B1A0CE5E4FEB98FF68D4556BA37D1FF98310F10017AE40ED7285DE24A9018781
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC0B3A Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a330b1c71dc1eee5b6ad067bc6a335a3b3e9b38169a8b702e67677ce3d8b0594
                                                                                                                                                                                                                                                                          • Instruction ID: 8173a955b7fc456954b4b42e91b286e74b0887ddf4f4fd77f12f04e1424712dc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a330b1c71dc1eee5b6ad067bc6a335a3b3e9b38169a8b702e67677ce3d8b0594
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB316BB451CE4A8FDB95EF68C454AA9B7E0FF58300B1145ADE44AC72A2DE38E845CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9D4340 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 1b6ca2df801939a3c8c906aed5658c2baf4187277ff2e1af92702b0a3bb5606b
                                                                                                                                                                                                                                                                          • Instruction ID: aeb928f9d4e07c9763c457d343c2e70852d536f83d7efad92eaa615f0eb1ccea
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b6ca2df801939a3c8c906aed5658c2baf4187277ff2e1af92702b0a3bb5606b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C3106B0A1CE464FD759EE3CD584AA177D5EF94300F2445BCD48EC3295EE29B8C28780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C2B75 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ec8e2059562a592fea0d9884641065cee657ae8fe048fd988af3504ec625537e
                                                                                                                                                                                                                                                                          • Instruction ID: 020a6792e5ad04a2dcefdcee098dcc484bdcadc7600ba4fdc04a5f86934a9d1d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec8e2059562a592fea0d9884641065cee657ae8fe048fd988af3504ec625537e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA2108E2B0DE5606E7A9AD7DF8950B86FC5DB8962472801FBD04CCB292D82B4847C3D1
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C98C8 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 74bc4839cd437c8336ece36e6d667bcf407089ba0d99351842db2d9e38f513c4
                                                                                                                                                                                                                                                                          • Instruction ID: b2ac745f15ab467a4e1d1f52c3cb154fad78f71efaf0db6e06d6cca5517fc1f0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74bc4839cd437c8336ece36e6d667bcf407089ba0d99351842db2d9e38f513c4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E31567150EBC64FD3479F7898652907FF0EF47224B1A44EBC489CB0A7E6689C4AC752
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD6C1A Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c6eb05a2c4e1763c998a08e194b592ac37597d26d137e3333f2b1cf5ea59d278
                                                                                                                                                                                                                                                                          • Instruction ID: 985e8282e962f5150b0ed748ee924f19c922754ea93b4059e568b3359270e12a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6eb05a2c4e1763c998a08e194b592ac37597d26d137e3333f2b1cf5ea59d278
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A841B1B09096899FD796EF78C8956E8B7B1EF49300F1040EDC04D97692DE38AD85CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4090 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 79001b4d4fd0a59924451f3d87a6adc8db71a2a99681acc803d560d93f7cc314
                                                                                                                                                                                                                                                                          • Instruction ID: 48f761e3482772a9b30fa0fa15d1fe5f1111bbd91f21e4e13e51c41ece02ec9d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79001b4d4fd0a59924451f3d87a6adc8db71a2a99681acc803d560d93f7cc314
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6721C792A0EAD61BE352BEBCE8A51E96F94DFD623171841F7D488CA097EC08590B8251
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C6D59 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e4c4d7f05a7f26f7d6c4aa0676ded3d6b1c313518917933a9e22427ec4cf4b7b
                                                                                                                                                                                                                                                                          • Instruction ID: dafa54200d5b14d3e0f3d1ceded2d7131deab7372b76e2070b3e23fd6825d12d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4c4d7f05a7f26f7d6c4aa0676ded3d6b1c313518917933a9e22427ec4cf4b7b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 833191A150EBC60FE356AF78C8591A47FE0DF4765075944EBD084CF1A7D51C9C098352
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBB05 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 55781e6449bf4e31e0627db17d88222ce4d0d3f90a7184b4d79b06ecdac5cbd8
                                                                                                                                                                                                                                                                          • Instruction ID: 60d444293ffd9d9f1a64af66491aeb67741151d58431895c10084625c1010193
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55781e6449bf4e31e0627db17d88222ce4d0d3f90a7184b4d79b06ecdac5cbd8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE3104E190E68B5FE345AFB8C82A5E97BD4EF21260B1405FAD04AD70D3EE1C08468B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B2E38 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: c9e39e2d0e897e122cfda7f4ab4fac329bec2196c2aca29fd1aa535c4b500b35
                                                                                                                                                                                                                                                                          • Instruction ID: 86d8338e73eeb13d333be525374d4f5edca9fe64128f26638b39bdefd3620520
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9e39e2d0e897e122cfda7f4ab4fac329bec2196c2aca29fd1aa535c4b500b35
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7931E4A291DACD4FEB59EF78C9442B97BA4FF16200F5800FAE848CB1D7DE289845C751
                                                                                                                                                                                                                                                                          Function 00007FFB4AB31B85 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2757572715.00007FFB4AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB30000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4ab30000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 4931ae569cd11a0d8db5d70ac7ecd13a0d4a3d72934380594be95263853abb02
                                                                                                                                                                                                                                                                          • Instruction ID: f38d2b714ab47f58b5955a7bff9c48f77b8a3dddfe1b3a0cedc31e95056320c9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4931ae569cd11a0d8db5d70ac7ecd13a0d4a3d72934380594be95263853abb02
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 532106FA80D7C54FDB526F7488550D83FA4FF52210F0802EBD498CB5D3EA299949C781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C5DCD Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f79200ec6c2fa3a52d94b89c6a07a9b3726a95834622057d68be55c0f7caf03f
                                                                                                                                                                                                                                                                          • Instruction ID: 360c68c96d020b98e2c84d34d374baaeeac1f9f248b695de1735f76a55e74b28
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f79200ec6c2fa3a52d94b89c6a07a9b3726a95834622057d68be55c0f7caf03f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F11134B2B4CE4A1FE7D5E93CE86A2B927D1DBDD26172402BBD48DC3296DD148C034381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5201 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e0d27c8a06e8f118a1393efcade6008e3c4fcf28e9d4078e2ee692e2f98263fc
                                                                                                                                                                                                                                                                          • Instruction ID: cebc4dee40472e1f7f120d7d05725bef4b1bbcbd178319f15826dcb54858d204
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0d27c8a06e8f118a1393efcade6008e3c4fcf28e9d4078e2ee692e2f98263fc
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8421B2B1C09A4C8FDB85EFA8D8556ED7BF0FF68310F0000ABD009E7291DA745841CB81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BEAE5 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ec61e35837b42fad5dca77330fe70b9c31a8876630c975616b39738f52ca3d8f
                                                                                                                                                                                                                                                                          • Instruction ID: 753b4cc35ed00fad226f4f22014114f90a01db152fa793d62fad1d2b4b9fe2b0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec61e35837b42fad5dca77330fe70b9c31a8876630c975616b39738f52ca3d8f
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC2181B191CA8A8FE799EE68C8552E87BB5FF59300F1001FAD04DC61D2DD3859418B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B852F Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8a781757126b0df61609a5fd5ccfa4d9768eecd747ec3d76c64bb6f52b5b4e44
                                                                                                                                                                                                                                                                          • Instruction ID: 7f3d24a9fcb375960044d1321cdff53d0262fb58c74bc14f60213bd2aa0ce543
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a781757126b0df61609a5fd5ccfa4d9768eecd747ec3d76c64bb6f52b5b4e44
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48316DB1D0DA499FEB45EFB8C8596ACBBB4FF09310F5401F9D089D7192CA3828458B50
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B89A5 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8d512fd9de77d053e46d9cee37ff150a5438942daed0dfc275c310420ff3f8a9
                                                                                                                                                                                                                                                                          • Instruction ID: c333df7b99247cfb9a4523362a53e3fab64d5023ccc7005d12cb9c1b8f71951f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d512fd9de77d053e46d9cee37ff150a5438942daed0dfc275c310420ff3f8a9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A021D17080D68E8FEB64AE74C4406E8BBA4FF4A320F6402FDC45CD71D1EA795985C751
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C9A48 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6580a33ce3e3caf9541c562ceb9c0c23a7f3bad5418d85b66355dec7f7696557
                                                                                                                                                                                                                                                                          • Instruction ID: d95deea16957f04a7af84d8fc679457cf54360b1b21fe51233e0653ee97e7fa5
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6580a33ce3e3caf9541c562ceb9c0c23a7f3bad5418d85b66355dec7f7696557
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0821067050D6468FDB55EF38C0859A67B95DF59310B3482FAD009CF19BDA28EC87C391
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6c94132932467e12e389f3d98577fbda3ef41bcf0bbe471d25e5f8d3dd98cac7
                                                                                                                                                                                                                                                                          • Instruction ID: a00b3b770178e7292c416dad2af55d19d901dd7a93fe35d84544626720a93c7f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c94132932467e12e389f3d98577fbda3ef41bcf0bbe471d25e5f8d3dd98cac7
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC21CA7588E3C51FD7125F30A8121E5BF78AF43211F2A01E7D088CB4E3C12D1A8AD362
                                                                                                                                                                                                                                                                          Function 00007FFB4AB31AF2 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2757572715.00007FFB4AB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB30000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4ab30000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 3eb1e65c6a1ad9d5c2a9081f6bf41d9a935c0e3c1255e2904a1d69a1746d7f6c
                                                                                                                                                                                                                                                                          • Instruction ID: 29b83d86070f377f8daf5c0381bd24cf0cc5fc2bec0820e17a2d58727a11cc02
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eb1e65c6a1ad9d5c2a9081f6bf41d9a935c0e3c1255e2904a1d69a1746d7f6c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F2102BA80EBC94FDB02BF349D641E57FB4EF42201F1902E7C498CB593EA696849C351
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C60D1 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e0b448d241c2b6b06e17ded7cba30e095af69a0042e9c79dff2664eea4c21acb
                                                                                                                                                                                                                                                                          • Instruction ID: b8bfa907b863d2c4c79ea42996d9e02f419071dffd0a4c24123c603360f95d80
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0b448d241c2b6b06e17ded7cba30e095af69a0042e9c79dff2664eea4c21acb
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E11E7A2B0DE890FF3D59DBDADAA1642EC5DF9960171900FBE58CC72A3D815CC058385
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3400 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7c35dd938551f07080653359c3d633f50eb3ac1f414a12dc4110f7d2544897d3
                                                                                                                                                                                                                                                                          • Instruction ID: f131558814ead8e963c16bf16211be5ab2fff03bd87c2bd336060cdf0d968fa0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c35dd938551f07080653359c3d633f50eb3ac1f414a12dc4110f7d2544897d3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 731108B2B5CD0A1FABD8ED2CE4552B963C6DBDC265764017BD40EC3299ED19EC434380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BADF8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6d31eb7dc7a14f04e5b10c4fb0fc14c52cc97dfd8c345993bd7fa82898b2b722
                                                                                                                                                                                                                                                                          • Instruction ID: e2afbefe6f48d79b0938c929894d47cbcc0f236ec40afadd4f3e85850a954f3f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d31eb7dc7a14f04e5b10c4fb0fc14c52cc97dfd8c345993bd7fa82898b2b722
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A1104A1A1CE4A4FE789AF7CD8911E577C1FFA4210B9444BAD449C76C7DD18A8068381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C60F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e7f12d9b3894492d7a1a2749720241698c06e0e127f8fc6d1cf6e1a1bc009cb9
                                                                                                                                                                                                                                                                          • Instruction ID: 02c046485484f813011659845c3723433db6dfe745fa740850e824c92d242fc3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7f12d9b3894492d7a1a2749720241698c06e0e127f8fc6d1cf6e1a1bc009cb9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB112562B0DD4A0FE2D89CBDBC991712AC9DB9861272500FBE54CC3363DC05CC468381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5220 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 8c1212c0c22815a6861907b125d5defb9b518cb3de3d472361d10ae7e2ed2109
                                                                                                                                                                                                                                                                          • Instruction ID: 0b3fef38987506b33c2b5a2cf259cff340018eecc53f1af4dde98ff85dde5665
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c1212c0c22815a6861907b125d5defb9b518cb3de3d472361d10ae7e2ed2109
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2321A4B0D09A4C9FDB85EFA8D8596EEBBF0FF58310F00006ED409E3290DA745840CB91
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC0C73 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0e82f034a79fc8c8ef9c741df627f2400e672ca3c3fb380e3702676b02fcdc40
                                                                                                                                                                                                                                                                          • Instruction ID: 6095eaabe8a722726e0fc4e5373f236ab5a0ab34297cb75e0fd08d71ccd3f595
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e82f034a79fc8c8ef9c741df627f2400e672ca3c3fb380e3702676b02fcdc40
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4821907191CA8A8EEB98EFA8D440EB6B7E0FF54310F10457DD44AC3692DE28E8858781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C7136 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 58a4b960b9a1d929bc55694fc3a4094d8c5d9f0deec0bf2827094b3b4cbb8f63
                                                                                                                                                                                                                                                                          • Instruction ID: ec18509c13a1fb42bdcbe2098c27bdb406d051ac6ee0bd537207be7d1154376e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58a4b960b9a1d929bc55694fc3a4094d8c5d9f0deec0bf2827094b3b4cbb8f63
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE11B1B050CB885FE378AF28C84C7A77BE5EBAA301F00457E94CCC3262EE3468418752
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B0C58 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f86d5feaddc9625b1ae69ea6d7a1371cabaf6949bb297edc19dd1e9774f79fd8
                                                                                                                                                                                                                                                                          • Instruction ID: 5b8056850beac3e491406cefaf47f2126b5bc316e98bcedd681bf1ec06ca8bca
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f86d5feaddc9625b1ae69ea6d7a1371cabaf6949bb297edc19dd1e9774f79fd8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE2103B280E696AFE716FF78C8561EA7B90FF42310F0541FAC009DB1D2EA395844CB81
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BE938 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 46a2e60a5b4cc2bbacf0b8f5084343e23ff5413af4fbf68ae8a4e7759ae88302
                                                                                                                                                                                                                                                                          • Instruction ID: 461cb058cabf519b6c5262a5e26f2f97548d40d5db609597349578c6d29a9f2f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46a2e60a5b4cc2bbacf0b8f5084343e23ff5413af4fbf68ae8a4e7759ae88302
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D2127A250EBC70FE351BE7CC8491A57FE0DF46690B1944FAD088CB1A7E8185C098341
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C530C Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0c3e3ba6a9915f732d59ffaab3c9cdcad628f461b031976531daba51ec7fc801
                                                                                                                                                                                                                                                                          • Instruction ID: 035ba88be2f102b24711c79f122c76f200646f76bec7f09883326934007d0a2b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c3e3ba6a9915f732d59ffaab3c9cdcad628f461b031976531daba51ec7fc801
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 111191A2B0DE4B8FEBE8EE6CD4642B567D1EBAC25076445BAD04DC7195DE14EC068380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4F88 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 13b2c2b3e989acb52037977c96cacf0860d9bedc6871cc2c911d432ec5a29d03
                                                                                                                                                                                                                                                                          • Instruction ID: 8e077b3c1f325b3cb0e497282b91c7583628fc65e1609eaba528dcbf77cd7389
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13b2c2b3e989acb52037977c96cacf0860d9bedc6871cc2c911d432ec5a29d03
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7218EA0D1E69A9FE754FF74C9592B9B7A4FF4A300FA005F8D00DDB1D2CE6868408B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BCEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7adc2f8821f217b6dd7a677e45cdcf74a6f74966b2464ee0a66b9418c23b7e74
                                                                                                                                                                                                                                                                          • Instruction ID: fe3d94297aadfd1da0c2ae2c37c942934c9fdf0273f7adc844be6f2804cd0825
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7adc2f8821f217b6dd7a677e45cdcf74a6f74966b2464ee0a66b9418c23b7e74
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F112D71B1C9199FD7A8EF5CE8566AD77E1FF9C711B1001EAE049C72A6CE24AC0287C1
                                                                                                                                                                                                                                                                          Function 00007FFB4AA0EDE0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 127e3e4db1d672ba57b45bf760e94c1cb260d997edce931c6f28a0ce420d886c
                                                                                                                                                                                                                                                                          • Instruction ID: 8d1b7ca182c74f996b75746108ff497e8a3d53416d23ecedf0c0a398944a4eec
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 127e3e4db1d672ba57b45bf760e94c1cb260d997edce931c6f28a0ce420d886c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F11517170C8195FDAA8FF2CC598A7A32D9FF88300B6405BAE04EC3292DE14AC418755
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B6C99 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7116d65406059d70583bbd1ccda5ee5276a36e8ef79b55d87f7f4fdd45ff468e
                                                                                                                                                                                                                                                                          • Instruction ID: 901968fe18961cb64c373e9091de41067c37fedad4d87ff1540105b36a234e69
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7116d65406059d70583bbd1ccda5ee5276a36e8ef79b55d87f7f4fdd45ff468e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A11A2B1C0E7885FEB42AB74D8152ED7BE4EF46221F0544FAD144CB0E2DA2C6948CB21
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBE30 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 417bf60019312872c503474168bc04e837c7f8c98b48c0788f0fe01cdd1e6c93
                                                                                                                                                                                                                                                                          • Instruction ID: c65046b7808192a7877f2fc3c6cb0df2d01835994bd3f41f8bc2dae7c155f2ec
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 417bf60019312872c503474168bc04e837c7f8c98b48c0788f0fe01cdd1e6c93
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1010892A18D4A0BE399EEA9C88D2F567D1FBB8780B1401BAD04DC32E2DE28594743C0
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5C19 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 6f93ed2edcacf42799697ca93b656cf011b139a7d41d8459a4eeef907607bbb4
                                                                                                                                                                                                                                                                          • Instruction ID: 8a74dce20ce8f22b156c1018c2727ed0af9ca0a7391de8195505d66bd3847eb9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f93ed2edcacf42799697ca93b656cf011b139a7d41d8459a4eeef907607bbb4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA119DB080E7C9AFE746EFB4885A29DBFF0EF16250B5804EDC081DB1A2D66D4C85CB00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d986c931db2e1f7c2205efd25ac70c241dc0414119adf87f6cb6ed831aee99b5
                                                                                                                                                                                                                                                                          • Instruction ID: 1b72391cc5b82d406dcaa218a46e1e07c2032106cf7a72f532a4f0816b675dad
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d986c931db2e1f7c2205efd25ac70c241dc0414119adf87f6cb6ed831aee99b5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8711C5B1D0DA1D8FDB98EFA8D4956ACB7B6FF59301F1011AAC00DE7292CA3069818B40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA0F3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ece13f02337bf62cf8660367c5df2ff3605da93d30bef8e5d7d1d0112cce7e0c
                                                                                                                                                                                                                                                                          • Instruction ID: 1fd7d5b8201c1c3c81c61e88d2c411ffb012ce14af0b19fffb48993944509df4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ece13f02337bf62cf8660367c5df2ff3605da93d30bef8e5d7d1d0112cce7e0c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 950145F2A1CA4A1FE395AE78C9A51F93BC0FF45221F5000FAD099C35E2EE1918058641
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e589a6bcc02f9d0ba6815ed662fa51a2bd122016b7636a5a2fb85ef9c12d76a0
                                                                                                                                                                                                                                                                          • Instruction ID: 21b2ba024e5d3482fc93cc80f27a908cf22118b7f45fede8017d82381b3c81aa
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e589a6bcc02f9d0ba6815ed662fa51a2bd122016b7636a5a2fb85ef9c12d76a0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6501D6B1B0D90E1FE794ED6CE8446B633C9FB98310F9002BAF44CC3692ED29D8018380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C8413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0f7b586749dca6f5d86df5a9c5da73ae408aa6f0688705e84bc6b92a663c7745
                                                                                                                                                                                                                                                                          • Instruction ID: cfa206cffa65e0453d9b3dcd9514326a395743eabd9a10a372afcf70f5c649a3
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f7b586749dca6f5d86df5a9c5da73ae408aa6f0688705e84bc6b92a663c7745
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5601AF7270CC0D4FE6D8FE2CE896AB433D2EBAD32031505E6D48DC7262D925EC428780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4DD6 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 42dedb8e924053c7c6f3586b272898617c646de99cb0c61194a13d078011d48b
                                                                                                                                                                                                                                                                          • Instruction ID: 98d04b8818fd008e457e6d0d676b3bb54c8f3d18c3c4b394d3ba9eb96b1b5a60
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42dedb8e924053c7c6f3586b272898617c646de99cb0c61194a13d078011d48b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC114CB1D095094FEB95DF68C8547ACB7B1FF84200F5081A9C44DE3291CE3968868B00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C79B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d504b94e3cb8a66e59e1da0c7efbb42c488ea7158bcd54964a6104c388254015
                                                                                                                                                                                                                                                                          • Instruction ID: f8d634d969bd88cf62f70ffa683b7c981aa3409c6be0c6f9d690695d3df39a20
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d504b94e3cb8a66e59e1da0c7efbb42c488ea7158bcd54964a6104c388254015
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64F0B46270D9980FE794A92CEC5D9B27BD8EB6A13231502FFE849C7163E90698028355
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC773F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9b86d89c0501c226744aa43422786def9706671747fb26012adced1eafce5026
                                                                                                                                                                                                                                                                          • Instruction ID: 88b31d42d0ed5cd012eba969fe1384ba1393f6044d3eaaa849211782b98855b6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b86d89c0501c226744aa43422786def9706671747fb26012adced1eafce5026
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0F6D3F1D92F0BA1997E7CB50B1F5A3C5DB8666076452FFD849C2A87DC06A88300D4
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5E82 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 0eb7c012f599154db579f559fbe39281525a86456f47e984b1215e211f8ea64b
                                                                                                                                                                                                                                                                          • Instruction ID: 09e05d5249acba8b475e3d59b2f021230598d985b83989055ba2635496e2a2bb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0eb7c012f599154db579f559fbe39281525a86456f47e984b1215e211f8ea64b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 911170B0D1D74D9FDB45EFA8C44A6AD7BF0FF19300F5401A9D485D71A2CA38A842CB51
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B9CE0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 84af4b5cedf0f9ac3e457413274e0e9ef03b1a378b3d499b9a9d5b47438814a4
                                                                                                                                                                                                                                                                          • Instruction ID: f09222ef31f1aeca337b5c840ae3f577cbe7125cf75a90e40150155517d80e47
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84af4b5cedf0f9ac3e457413274e0e9ef03b1a378b3d499b9a9d5b47438814a4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50014C53A1D6960BE325BF7DEC864E47FC0EF8122070440FBD408C60D3E814688982C1
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BAE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: bbfa9cb82f6b7dc6ea72579908f27f589b0ca25ea3afd2a293e0df061817bc98
                                                                                                                                                                                                                                                                          • Instruction ID: 4cc9f4f29af119582d115bc261d94e49068ad5dc38fc115f66553ed98341ad4e
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbfa9cb82f6b7dc6ea72579908f27f589b0ca25ea3afd2a293e0df061817bc98
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC01A271A18E4B4FDB99EF6CC4845B6B3D1FF98300B944579D409C3686DD28E8428380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e2a3c1b1f826956e8624659c05e443750916339ce842c8ad8d4f3ac354056d60
                                                                                                                                                                                                                                                                          • Instruction ID: adba48c03cf185a3abb38c57ead13cd0f75190e04af32fd52ae98947887f814a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2a3c1b1f826956e8624659c05e443750916339ce842c8ad8d4f3ac354056d60
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93F02479D4850C8BEB20AEA4E4403F8F7B8FB82354F10207AC50CE3180D73AD995DB48
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B8A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 71d0b61c1f93d364e7948bf4680fa8b6d0b720ff51c6e9733205524c6a474156
                                                                                                                                                                                                                                                                          • Instruction ID: cdd600a239e3f95836f9dcc8af2ffca797b1f169a99a82c6678c8a7ef08d8162
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71d0b61c1f93d364e7948bf4680fa8b6d0b720ff51c6e9733205524c6a474156
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0F075D4C60E8BEB20AE64E0002F9F7B8FB86310F10207AC00CE3180D73AD995CB48
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 85eb98e1297b30b25972dc2b0b508acc0ce7625f3baa144a818fff082d6c61c0
                                                                                                                                                                                                                                                                          • Instruction ID: e7b43ae2d0e05532d155ace9b4272abffa6a78dd4ab21b36b0513f2007a21f2f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85eb98e1297b30b25972dc2b0b508acc0ce7625f3baa144a818fff082d6c61c0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9012670A18D0B4FD799FF78C4505B2B3E6FFA8300B5481BAC409C32C6DE24E8424740
                                                                                                                                                                                                                                                                          Function 00007FFB4ABD6894 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ce1baac516ce8c721f3793d1824296e7eecd956515b730888b752a55da400ac3
                                                                                                                                                                                                                                                                          • Instruction ID: f13abd9b93893a8f8e4395c8708e9a3f04ee905ad4268adccaff347a3d4d06b9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce1baac516ce8c721f3793d1824296e7eecd956515b730888b752a55da400ac3
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C01057581962D8ADF54EFA8D8956FEB7B1FF18301F20056AE00AB3691D7785A84CB80
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C3230 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2318ec6e96b54df37345a171f737e99ecc89af709fb36ea1df4c670a4405b009
                                                                                                                                                                                                                                                                          • Instruction ID: fa8a8bf76b41ea00208236c31d8a30bcbc38fb53271b2f71af262f64a7d44a57
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2318ec6e96b54df37345a171f737e99ecc89af709fb36ea1df4c670a4405b009
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B401B570909F484FE794EF38D1496AA7BD1EFD4314F14097ED889C7365DA38A4418741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5EF3 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 012ca51a087d5706d1fb5150bbaf9127837b6ae621aab91b2fcbf1dce2dc52da
                                                                                                                                                                                                                                                                          • Instruction ID: 4c71611f6846d1fb8d432de5d0ba250ab1fba74c4b28ee237a8403539922feaf
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 012ca51a087d5706d1fb5150bbaf9127837b6ae621aab91b2fcbf1dce2dc52da
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21014CB1E0461D8FDB88EF98D4806EDB7B2FF98311F50417AD41DE7285CA349845CB40
                                                                                                                                                                                                                                                                          Function 00007FFB4ABC3ACD Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2758178968.00007FFB4ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABC0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4abc0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 69f3916dacc26373c3fd1edf84922e45310b25b8ac138733f0b255c3ab1ee95e
                                                                                                                                                                                                                                                                          • Instruction ID: 1fc554dc59653524fefc393f658c82784ba08d296409f4178beba0a254debc94
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69f3916dacc26373c3fd1edf84922e45310b25b8ac138733f0b255c3ab1ee95e
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2F08161B1CA1A4FEBA8EF68E851BE97396FB88310F5440F9D40DD3292DE25EC45C781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4B89 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 56861cbb5e9f0ad03efc45a857ce0237583fc981c0f703d02b084c0a9b677bcf
                                                                                                                                                                                                                                                                          • Instruction ID: 4f03e3790345f5462f5f192963aa1da32895ebf76d9882a273af17e90300b166
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56861cbb5e9f0ad03efc45a857ce0237583fc981c0f703d02b084c0a9b677bcf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3001F2B180D789AFE742EF74C9652E97FA0EF46210F4500F6D549CB0E3EA2918098351
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C0B02 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: da60b6fdb2e83aa2759863f524e8d97b88bbf52f533da174f4967015405a0867
                                                                                                                                                                                                                                                                          • Instruction ID: 7bda4a5ab2f3bdafaff9c670edfa6e818d1f501c0d99f5ae0ba1308acd40db00
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da60b6fdb2e83aa2759863f524e8d97b88bbf52f533da174f4967015405a0867
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28F0F46050DECA1FE71AEF38C5155A07BE4EF46310F5C01F6D488CB297D919A8848381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4121 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ecc146faa94199b266782a756e78d4c044bbd1ec749e216951eae56990d413f0
                                                                                                                                                                                                                                                                          • Instruction ID: bd86906065a5a24a2a7bd3abcceed6d475802b7e885d7bb0c329f9617cb41580
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecc146faa94199b266782a756e78d4c044bbd1ec749e216951eae56990d413f0
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCF0F66254CB891FD7629E38C4A53E67BA1EF92200F0402F7D48CDB183EE2809468781
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BAF99 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d5abb0f0c495de1a8e12eed0aac8744120743c5310b3b143f4f39ce2c616a89b
                                                                                                                                                                                                                                                                          • Instruction ID: 9c7f8c73fab6fc96c6f18606c79d5421f3fc84f587556b18ebcdf339829c26e7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5abb0f0c495de1a8e12eed0aac8744120743c5310b3b143f4f39ce2c616a89b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE018CB081DB8E4FDB46EF7888541F9BFB0FF59200B4005BBD868C32A2DA758918C741
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B9E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 21a9f8047b2ba5683b4334bf812a879a10b536c29b963e7c5747464bcd4fa289
                                                                                                                                                                                                                                                                          • Instruction ID: f70dbf5e26e89ec0e0840942aceb97f2c432b5f294b9a732f9eb726ab8eb82c1
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21a9f8047b2ba5683b4334bf812a879a10b536c29b963e7c5747464bcd4fa289
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAF0E992E1ED8A0FD3A6AA3C99651A41BD5EB9512035801FBC488C71C7DD0C48424381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 32dd32b28eeb117cf0730358b9e80c26de277a816552052502e83389f4c1d7cf
                                                                                                                                                                                                                                                                          • Instruction ID: d4e6d9601e6b7f8d61964b48faa538b511041487668bbd897e6b4a578e732729
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32dd32b28eeb117cf0730358b9e80c26de277a816552052502e83389f4c1d7cf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD01ADB080E68E8FDB45EF24D9512E97BA1FF95300F1105BAE81CC76C2CA7AE851C780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 35524582952d4b6d5bb1d6171b33651815525ff320c8714d840e39881e2075ac
                                                                                                                                                                                                                                                                          • Instruction ID: d9c75024dce7819297ad97e0b40610d1ac54b66ca03d7b89d39f9a06c26c3be4
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35524582952d4b6d5bb1d6171b33651815525ff320c8714d840e39881e2075ac
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BF08570C0860C8BD724AE69E0003FAF7B8FB4A309F5021BAD00CE2180C37A99A5CB18
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C2DE5 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 33c5349265fab151ac186f9c90c7d2764f11d5fc2aa5ce2188671941960d99ce
                                                                                                                                                                                                                                                                          • Instruction ID: cf1094daecbbfbcf5f9aa4c8d77b2ccd3df4f0705acceff323cdda6abd99334d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33c5349265fab151ac186f9c90c7d2764f11d5fc2aa5ce2188671941960d99ce
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2F02771A1CD1A0FEA98BE3CD1996FA23D5EF95710F54007AD44FC22C6DC18A8828380
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B3B3E Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b02cda7c211eda4db9c8462b1f3f6bec4939c928c8b8fd0ed6dda2621430f7e8
                                                                                                                                                                                                                                                                          • Instruction ID: a4770db31a1da3983c05ca57c8f2c2366688928917ab29945e1d668da3525ec7
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b02cda7c211eda4db9c8462b1f3f6bec4939c928c8b8fd0ed6dda2621430f7e8
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F090F2D0861D9FDB50DFA8D4141FDBBF4FB68321B1002E6D408D3645DA3959008740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4F25 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: f57858196b167f47f642ed5f92a1d169babfbe3cd3684e7ea6838eaae116bb6a
                                                                                                                                                                                                                                                                          • Instruction ID: 0898bb0d94d7f190d0353da4938891485ae4319d064709dbc875bd708b2e30ed
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f57858196b167f47f642ed5f92a1d169babfbe3cd3684e7ea6838eaae116bb6a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F0593191CE4A0FD355EF2CC5482E0B7D0FF48311B5801F6D448C729BDA18E8918780
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 95cc7320d63c5848788a36a0cd6e47b6f9df75455ffc5d486ed14a6c1a417093
                                                                                                                                                                                                                                                                          • Instruction ID: 5f8a4a4b45e1ba119477c97dadd6d9e0ad1c48661a1f246223a1e018ab3a6a94
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95cc7320d63c5848788a36a0cd6e47b6f9df75455ffc5d486ed14a6c1a417093
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF01D71E0992D8EDB94EE68D8506F9B372FB4A211F1045F5D41DD3181CE359D458B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B8CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 34951671e0dd713b7bfafcb877207e245762a143dc08ead8dc5c39ed4bbf4266
                                                                                                                                                                                                                                                                          • Instruction ID: 6b73a764f9eec7d0564a2e3701124aed606077bbb38bf676ac81309298e47e4f
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34951671e0dd713b7bfafcb877207e245762a143dc08ead8dc5c39ed4bbf4266
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EF08570C4960D8FDB14AEA4E5403F8B2B8FB4A205F50226AD00CE2180C3BA9A94CB14
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B8691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a26159aaf74294c7643fe9e4aa9c9948242d7505f1e30b4d7a3298cd685a66e5
                                                                                                                                                                                                                                                                          • Instruction ID: bf779253e7ffb78a02c2a9bc2988e7af7015234acccfed68c3a8c51b0627c4e6
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a26159aaf74294c7643fe9e4aa9c9948242d7505f1e30b4d7a3298cd685a66e5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F06D71C4960ECFDB14AE65E4443FDB6B8FB4A305F502679D00CE3181D7BA9A94CB84
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C8FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: d4f3ed6887f71604ca3b1654fafebb0e76c27d879cb8e4aa4efe023813d75df9
                                                                                                                                                                                                                                                                          • Instruction ID: d1812a8460f4c4296af1ef905503233d5f55a6928e1b50934a32fbb5e582d043
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4f3ed6887f71604ca3b1654fafebb0e76c27d879cb8e4aa4efe023813d75df9
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF0242120D9898FE7A1DE08E4C8B687BE2FB94300F5801B8C08CC7252C635EC05C381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5E26 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 25a8f3fea15ecb45ceef34ce808a13d7d5bc7a2839626c6ea017eec252a2587a
                                                                                                                                                                                                                                                                          • Instruction ID: 4503c7fd1fe9cdec9f2e579201e6e40e81dba76b3598ba90e777b4e65d3062fc
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25a8f3fea15ecb45ceef34ce808a13d7d5bc7a2839626c6ea017eec252a2587a
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35F0C2B090EB895FDB42DFB4881A699BBF0EF16350F1441EAC049C7152DD3888468B41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C6182 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 7d0cfea29239ec4e0bb16d723996bbd85694d8d692bc35d97f1e45bea938087c
                                                                                                                                                                                                                                                                          • Instruction ID: e7603032e88bb3b08670988698524e89e1f3a9882f3963d4a379d08f71ef15ef
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d0cfea29239ec4e0bb16d723996bbd85694d8d692bc35d97f1e45bea938087c
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0F0C180EBC01FE707AB78892A2A97FE0AF57110B4D80FBC188CF093D51C54098312
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5DC7 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b7cdb1bbc26efe54fcd2365888f220f30888971c74bfa466c01285e09fbd5aff
                                                                                                                                                                                                                                                                          • Instruction ID: 8623bc64619a097eac4621dc552bcf3372769ba2cc47469b0bc8135d11733132
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7cdb1bbc26efe54fcd2365888f220f30888971c74bfa466c01285e09fbd5aff
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64F04FB08197899FDB51EF78C896698BBF0FF16300F5140E9D889D7252DA386C85CB41
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B80DD Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b4c6f5beef30c98ee334e165f25f9b66c1ecb4b8f5cc7ef61ce326825adf4251
                                                                                                                                                                                                                                                                          • Instruction ID: 04dbd838a992b4654c2641da5a3ea6c78479244c0d4c46913babfb60b838b411
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4c6f5beef30c98ee334e165f25f9b66c1ecb4b8f5cc7ef61ce326825adf4251
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FF05EB0949A5E8FEBA5EE34C4153FA72E1EB48300F0009FB900DE32D1DF7959848A80
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BBC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 120f8321b481fb277c5dac5486f6163cf05294f5075131d8b37d98a82aa72eb1
                                                                                                                                                                                                                                                                          • Instruction ID: 6d66b4f329ff2d55762567729dc3cd02cdab217ab184ce82242073c1be04ac1d
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 120f8321b481fb277c5dac5486f6163cf05294f5075131d8b37d98a82aa72eb1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87F030A592450A9BE784FEA8C8859E877E1FF98700F904074E088D3282DE2868018751
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA0A5 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 5ecfaed4f0cd982ec7763f37d1ee1f3205d8422ecd1d5511a17960b14a0d3ffb
                                                                                                                                                                                                                                                                          • Instruction ID: 3dd9032136e1c4d2c252998444dd922587a68b6cb46d343de7017c49e701a0ba
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ecfaed4f0cd982ec7763f37d1ee1f3205d8422ecd1d5511a17960b14a0d3ffb
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05E022B690A2865BC781AEB9F8109EEB794EF81320B1004FFD52CC7443EE2414558F92
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BA0A8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ee24998ceb966f6f19c7d19df1a3ec9f51e5478488893084bfda755da84071a4
                                                                                                                                                                                                                                                                          • Instruction ID: 2b125e62f0042ad1dae76029092d378e657bb35032250cee7eae460660325a56
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee24998ceb966f6f19c7d19df1a3ec9f51e5478488893084bfda755da84071a4
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90E092B280A1465BD746BEF4F4115FAB790EF01360B1054FED42DC7453EE2414554F92
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B9D8A Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: b28696a2d68fbefb7fdb57de556105a8e96ad16b7a0da49950516e344ca053ff
                                                                                                                                                                                                                                                                          • Instruction ID: 072a14ab255bf14239d41d8a31ff78ee9415ef14f2bc4e8781e099026038747b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b28696a2d68fbefb7fdb57de556105a8e96ad16b7a0da49950516e344ca053ff
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02E0DF80A2DA461FE368BA7DA5860B97FC5EB8952071945FAC048C309AE89C5C424381
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BAF5E Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 640399f4129b66c0544ee99c0e3d33c99b12118362200439f3bdca25c05e2fbf
                                                                                                                                                                                                                                                                          • Instruction ID: 45df7eb1b6c1c2d0cad9790a5fbde85673c848dd31b3cca9f410e534b653df55
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 640399f4129b66c0544ee99c0e3d33c99b12118362200439f3bdca25c05e2fbf
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E086D180F6D20FEB436FB8CA5A5D4BF95AF16310B4C81F6D548CB1A7D54D9409C342
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B806F Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 813a4d8f2d96d7eff6fd63362f7170f3feca42760a708a73a2e6664359c9ffe5
                                                                                                                                                                                                                                                                          • Instruction ID: df6a5dd8766d38eca2c3f1d35dee249d3a3e8f7f0ae81241678e377a4e2cec71
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 813a4d8f2d96d7eff6fd63362f7170f3feca42760a708a73a2e6664359c9ffe5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58E0C271E0581D8ECB95EB78E8517EDB7B1FF85201F9440FAD40DE3652CA35A9858B00
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B3B03 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: de35e7feb9d8df1995928a74e106e820381e1d73db9e9e5520e5748b902f670b
                                                                                                                                                                                                                                                                          • Instruction ID: 426e0bd8b1ce75fbfaddd6ba331381780fac62adb0a99d8a9932d92faf15c6e2
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de35e7feb9d8df1995928a74e106e820381e1d73db9e9e5520e5748b902f670b
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0E012B080EB856FD742EFB4945A4DD7FF0EF1A220B5804E9D488D7163DA2C5881CB52
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C4190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: be49f8fddf4d25c32deacc6abbef65d5a9986b271c211bb54f5e92257355f106
                                                                                                                                                                                                                                                                          • Instruction ID: 609817b386179db1442658d00faec07c80922e96d6fe55d4e9bf58ecb886b463
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be49f8fddf4d25c32deacc6abbef65d5a9986b271c211bb54f5e92257355f106
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44E01A70A189194EE768EEA8C8883BDA3B1FB98300F10017A900DD3282CE3459028B40
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CEE10 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 9f64b529df25adec3084e24b5a26fa284a32ad900ccd319b16b7d88657f47f8d
                                                                                                                                                                                                                                                                          • Instruction ID: df4dbf545d825610a12be53450713f8c4a101825bd2562481075b4cae67cf54b
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f64b529df25adec3084e24b5a26fa284a32ad900ccd319b16b7d88657f47f8d
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4E0B6A140EACA6FEF86BE78855609A7BA09F46690B1944E99089DF0A2F61C080D8302
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C2993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: a7b03ac9c17548e7f702adda390df2e65e1c1e9088f70129c3ea7c16e858efa5
                                                                                                                                                                                                                                                                          • Instruction ID: ff706f42cfd025641c47b9b042063935ba4de0f182906da785453cba3363480a
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7b03ac9c17548e7f702adda390df2e65e1c1e9088f70129c3ea7c16e858efa5
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62D05E3014A2404FDB59AE2CE080880BBA0EF122047550AE8E0054B1A3C52ADC82CB09
                                                                                                                                                                                                                                                                          Function 00007FFB4A9C8737 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 005ddfc8c62beb56607835a8e35ebf06fbe4c812d41f0146a24d185d09c72273
                                                                                                                                                                                                                                                                          • Instruction ID: 062c4fd66e9bcdd054085c2aed0540d7c76b68f37df9c40ed1fe9ac4a9f240ec
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 005ddfc8c62beb56607835a8e35ebf06fbe4c812d41f0146a24d185d09c72273
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCC012312498188FD6809B1CF84876473A0EB45221F5502F1E00CDF155C95658454700
                                                                                                                                                                                                                                                                          Function 00007FFB4A9CAF8E Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 698d81024272c4877e6888f5400f9bced457dbee2c5f455d014e84a5ce12f2d1
                                                                                                                                                                                                                                                                          • Instruction ID: 43e59938f7a6863cf3dd817cb8b04614f48ed19764c2ec953746e1078ff16fa0
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 698d81024272c4877e6888f5400f9bced457dbee2c5f455d014e84a5ce12f2d1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65C09B75C4D8098AD711AD34D5510F4736E9F47204FB420B5E40DD7893DD2565144545
                                                                                                                                                                                                                                                                          Function 00007FFB4A9BAB00 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: ba567446957e2dfc6646eebd8f9cbaa57b12e50174f2fef4cdfed6d8073d7ae1
                                                                                                                                                                                                                                                                          • Instruction ID: 1cfaa9d89ea324f575908567b5bdf199d8c2a63791cd2055cc796256c44a4bdb
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba567446957e2dfc6646eebd8f9cbaa57b12e50174f2fef4cdfed6d8073d7ae1
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EC08CB082A90A8FCB14BF38C681158B290FF08200FC001E4E40CC2285D62C90445745
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B5D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: e2e4ce26bc963d8802bcfb8b08e5eb2de49893fc79bb275d93a70eeb0723eb11
                                                                                                                                                                                                                                                                          • Instruction ID: c4677abcb7a29601a756b041787531311d3e2da965f290ae74c84d6b4f0af0c9
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2e4ce26bc963d8802bcfb8b08e5eb2de49893fc79bb275d93a70eeb0723eb11
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19C04CA29089194EA7C4DE9C8988198ABE1FB98254B100215C009D2144DE2454015740
                                                                                                                                                                                                                                                                          Function 00007FFB4A9B81AE Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                                          • Source File: 0000000F.00000002.2755908676.00007FFB4A9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A9B0000, based on PE: false
                                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_7ffb4a9b0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                                          • Opcode ID: 2f7f2599530b1cea115b9015444ed8941b075bd83e9228ba7e40fbcef338c041
                                                                                                                                                                                                                                                                          • Instruction ID: 1e44072e2aadfdaaf0041be26f4211eab36ae590c6df143736e50265da147f83
                                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f7f2599530b1cea115b9015444ed8941b075bd83e9228ba7e40fbcef338c041
                                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23C09B7454565DDFD382DA75542C75975D09B15151B4400EF444DD71D1D63C1C854710